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Introduction 


Humankind is living in an era of unprecedented global change and 
pace in which digital transformation is beginning to embrace all 
the vital aspects of society, even in the most traditional sectors of 
the economy. The development of the internet of things, artificial 
intelligence, biometrics and other innovative technologies are 
opening up new and unparalleled opportunities. 


These same changes, however, pose new threats, which are actively 
taken advantage of by cybercriminals. Cyberspace by nature 

has no borders, and this allows criminals to launch attacks from 
anywhere in the world, at any time and from any (compromised) 
device, applying technologies from developed countries in regions 
where technological evolution is proceeding at a slower pace, and 
where consideration for cybersecurity is still in its prime. As legal 
parameters are proving unable to keep pace with the speed of 
technological proliferation, the absence of international laws capable 
of restricting the actions of attackers regardless of their geolocation 
gives them a sense of absolute impunity. 


This state of affairs leads to a continuous rise in the number of 
cyberattacks — both the simplest and the most sophisticated — and, 
consequently, to an increase in damages on a global scale. Annual 
losses from global cybercrime activity have already exceeded 

$1.5 trillion,’ and this is far from being the limit. Cybercriminals 
cooperate, attack and succeed — while the world at large is still 
trying to figure out how to resist them. 


$1.5 trillion 


— losses due to cyberattacks in 2018! 


1. BLZONE, Threat Zone'19: False sense of cybersecurity, 2019, p. 4. 


One of the key reasons for this situation is the extremely low level of 
international cooperation. 


Until now, the conventional thinking has been to focus on one's 

own Safety. This may have been alright when the threat of 
cybercrime was a local phenomenon. Today, however, our growing 
web of interactions demands that we view personal security 

on a global level. Supply chain attacks have demonstrated just 

how interconnected various organizations are, and ransomware 
epidemics have proven that a single attack can affect almost the 
entire world, compromising even its most secure facilities. To counter 
this effectively, there is an urgent need to start learning the basics of 
working together. 


Most organizations conceal instances of successful attacks on their 
infrastructure for fear of losing customer confidence and market 
value. It is nevertheless the transparency of such incidents, the 
exchange of data, the application of best practices and knowledge 
that make it possible to build competent preventive defense capable 
of protecting organizations from similar attacks in the future. 


Having understood the these challenges and the efforts needed to 
mitigate them, BI.ZONE, the cybersecurity subsidiary of Sberbank, 
together with the active support of the World Economic Forum 
organized a large-scale online training session — Cyber Polygon — 
held in Moscow, in June 2019, which was designed to focus on joint 
response to cyberthreats. Some of the world's largest organizations 
joined in the exercise to work out a response to some of the 

most common types of cyberattacks, as well as to evaluate the 
effectiveness of exchanging threat data. 


No.I concern 


posed by cyberattacks in the US and Europe, 
coming in just second on a global scale, found by 
the World Economic Forum Risk of Doing 
Business Report 20192 


2. World Economic Forum, Regional Risks for Doing Business 2019, 2019. 


Looking ahead: the exchange of information between participants 
facilitated a significant decrease in time needed to respond to 
incidents. In addition to faster response, it provided protection 

to those organizations that had difficulties with less efficient 
detection and prevention processes in certain scenarios — had 
they encountered a real attack without the use of these exchange 
mechanisms, they would certainly have suffered serious damage. 


Such a training is unique in its kind: it was successful in connecting 
organizations in the public and the private sectors from around the 
world. 


Cyber Polygon has received a large number of positive reviews from 
its participants and observers.? The experts involved maintain that 
holding such international training on a regular basis will allow for 
continuous improvement of information exchange channels and 
Significantly improve the level of global cyber resilience. 


This report relates the first Cyber Polygon exercise and its initial 
results, with feedback from participants, partners and invited 
cybersecurity experts. 


The next Cyber Polygon will return to Moscow in 2020 with the intent 
to develop and attract greater international involvement — both 

from the public and private sectors and the academic research 
community. It is time to recognize that the fight against cybercrime 
cannot be waged alone. The sooner cross-industry public-private 
cooperation is established as an unconditional prerequisite to 
fighting cybercrime on both national and global levels, the quicker 
we can build truly effective defense mechanisms. 





4"" and 5" place 


— data fraud and cyberattacks ranked respectively by 
the World Economic Forum Global Risks Report 2019+ 


3. Based on the feedback from International Cybersecurity Congress (ICC) 2019 participants, 
Cyber Polygon observers and others. 


4. World Economic Forum, The Global Risks Report 2019, 2019. 
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What is Cyber Polygon? y 
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How did the exercise go and what were the results? 9 
How could one follow the training flow? 10 


What's next? 117 
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response to cyberthreats and improving business cooperation in the 
ile] alarslef-llalsimen’e\-1ce/a|aalcy 


Training sessions such as Cyber Polygon are not yet a common 
practice, so there is no single approach to its conduct. For the debut 
session the focus was put on improving joint response to ongoing 
cyberthreats through timely exchange of threat data between the 
oye] male|erclalace 


Based on these objectives, participants were asked to undertake the 
ie) |fe\walale 


create a realistic training infrastructure and simulate the most 
common cyberattack scenarios; 


test independent response to incidents against that of cooperated 
response with other training participants; 


compare the results of the two approaches and assess the 
effectiveness of cooperation in repelling cyberattacks; 


present the results of the exercise at the International 
Cybersecurity Congress on 21 June 2019 (ICC 2019, in Moscow) 
with subsequent publication of the Cyber Polygon results for the 
Forum's Annual Meeting on Cybersecurity, 12-13 November 2019 
in Geneva, Switzerland; 


use the results from Cyber Polygon 2019 to openly disseminate 
the knowledge and experience gained to the world community. 
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Strengthening cyber resilience is a critical factor primarily for the 
representatives of the industries that form the digital ecosystem. 
However, developing commonly accepted regulations is necessary 
ie)muaarelialtclialiaremaclareiie)arciiinvacialeme\Ze)lel|alemeiar-\elss 


The Cyber Polygon debut event focused on engaging the following 
sectors: 


financial services industry, being the driver of economic activity in 
idalomwce)a leh 


telecom providers, as the “creators” of cyberspace, allowing us to 
bring economic activity to a new dimension; 


cyber-specialized government agencies — global coordinators and 
advocates of the digital ecosystem. 


Fameleli(eliavemearcmecclial lace malic lsiaau(e1delc-m(e)m@n\20(-1a ez0)\\6 (0AM WICIS 
important to choose those security solutions that would be familiar 
to the participants to allow them to take part in the training without 
extraneous efforts or special preparation. Cyber Polygon partnered 
with IBM and Fortinet — the largest international tech giants whose 
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24 countries 
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the results? 





Cyber Polygon simulated several of the most common types of 
attacks on the participants’ training infrastructures. Three cyberattack 
scenarios were selected as relevant for organizations in any sector of 
the economy: 


DDOS attack. 
Web-based application attack. 
Reel atsve)aalVicliomlalicvelulelar 


One of the distinguishing features of the Cyber Polygon exercise was 
the use of the BI.ZONE ThreatVision data exchange platform. The 
objective of this platform was to provide teams with the opportunity 
to exchange data on cyberthreats, thereby ensuring consolidated 
protection for all participating organizations. 


Each scenario was played out twice. In the first run, participants 
had to respond to the attack independently without cooperation 
and without using the aforementioned platform. In the second run, 
participants were given access to the platform where they could 
upload cyberthreat data obtained during the attack. As soon as the 
fastest team enriched the platform with correct data for mitigating 
the attack, that data was then automatically distributed to all teams 
allowing them to respond faster and stop the attack on their own 
Taligclsiiaulollelacy 


The results of the exercise clearly demonstrate that the use of the 
platform when tackling the attacks improved the effectiveness 

of response several times over compared to that of independent 
efforts. This is indeed a significant result, despite the fact that the 
data exchange technology was relatively new for the industry and 
many participants were only loosely familiar with it. Still, it may be 
speculated that by far not all of the platform's capabilities were 
demonstrated at Cyber Polygon with much potential yet to be 
discovered. In the real world, a similar result could mean millions or 
even billions of dollars averted in damages. 
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The training was streamed online and lasted over three hours in 
total. Thanks to the media support from the World Economic Forum 
Centre for Cybersecurity, the Cyber Polygon live-stream reached 
more than 12 million people in 24 countries. 


The stream was sourced from the Sberbank Security Operations 
Centre (SOC), which housed a team of event organizers from 
BI.ZONE (Red Team), tasked with simulating the actions of potential 
attackers, with them - a defending team from Sberbank (one of the 
Blue Teams). The remaining Blue Teams were connected remotely. 


Opinion leaders in cybersecurity also took part in the broadcast, 
including INTERPOLs Cybercrime Director Craig Jones; Head of 
Governance and Operations of the Forum's Centre for Cybersecurity 
Bruno Halopeau; and renowned cybersecurity strategist and 
entrepreneur Menny Barzilay. A number of recognized experts from 
leading companies in the industry presented on the threats which 
the Blue Teams encountered during the training. All interviews and 
articles based on the commentary, as well as the results of the 
training are presented in this report. 
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What's next? 


Cyber Polygon is a one-of-a-kind event that was launched in 2019 
and will continue to be held on an annual basis. The technical part of 
the training takes place online, which virtually allows the geography 
and the number of participants of the exercise to be scaled at 
infinitum. Each training is accompanied by lectures, interviews and 
commentary by world experts — all this is live streamed and can be 
followed from anywhere in the world. 


The adopted format of Cyber Polygon is believed to foster about 
anew approach to cyber exercises for the sake of benefiting the 
community at large. In the future, as more complex scenarios 
are developed, results of the training as well as the feedback of 
participants and partners will be further analysed to formulate 
concrete proposals for improving global cooperation in the fight 
against cybercrime not only at the technical level but also on a 
personal and legislative level. 
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Participating 
companies 
and our partners 





The debut Cyber Polygon turned out to be a big hit 
‘C attracting both public and private organizations from 
| all over the globe to join the event as participants and 

partners. This elevated the training to a global level, 


thereby proving the need for such exercises In all 
spheres. 


Participating 
companies 


Y SBERBANK 


) yz, Development 








Transtelecom 


Sberbank PJSC is Russia's largest bank and a 
leading global financial institution. Sberbank 
holds almost one-third of aggregate Russian 
banking sector, it is the largest and most 
trusted institution for loans and deposits. 
Sberbank has more than 145 million customers 
in 22 countries. With more than 145 million 
customers across 22 countries, Sberbank 

has the largest distribution network in 

Russia with almost 15,000 branches, and its 
internationaloperations include the UK, the US, 
CIS, Central and Eastern Europe, India, China, 
Turkey and other countries. 


New Development Bank (NDB) is a multilateral 
development bank established in 2014 by 
Brazil, Russia, India, China and South Africa 

to mobilize resources for infrastructure and 
sustainable development projects in BRICS 
and other emerging economies and developing 
countries, complementing the existing efforts 
of multilateral and regional financial institutions 
for global growth and development. To fulfil its 
purpose, NDB will Support public and private 
projects through loans, guarantees, equity 
participation and other financial instruments. 


Transtelecom JSC is one of the largest 
communication operators in the 

Republic of Kazakhstan, specializing in 
telecommunications, digitalization and system 
integration in 11, communications, automation 
and energy. Among their regular clients 

are many large critical facilities of national 
importance. Transtelecom JSC provides an 
edge for the domestic Security Operations 
Centre (SOC) services and incident response for 
the industrial sector. 








MTS is a leading company in Russia and 

the CIS countries providing mobile and fixed 
communication services, data and Internet 
access, Cable and satellite TV broadcasting, 
digital and mobile applications, financial and 
e-commerce services, and IT solutions in the 
field of system integration, Internet of Things, 
monitoring, data processing, cloud computing 
and electronic document management. 


The Department of Information and 
Communications Technology is the executive 
department of the Philippine Government 
responsible for the planning, development and 
promotion of the country’s information and 
communications technology (ICT) agenda as 
well as cybersecurity programs in support of 
national development. 


Partners 
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IBM is a leading cloud and cognitive solutions 
company. It is the largest technology and 
consulting employer in the world, with more 
than 380,000 employees serving clients in 
170 countries. With Watson, the Al platform 
for business, powered by data, the company 
is building industry-based solutions to urgent 
problems. For more than 7 decades, IBM 
Research has defined the future of information 
technology with the input from more than 
3,000 researchers in 12 labs located across 6 
continents. 


Fortinet, Inc., founded on November 28, 

2000, is a network security company that 
provides cybersecurity solutions to a range 

of enterprises and government organizations 
across the world. It provides protection against 
cyberattacks and the technology to take on 
security performance requirements of the 
network. It offers a range of security products 
and solutions, providing customers with an 
integrated network security architecture and 
threat intelligence to identify and minimize 
security gaps. 
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Scenario 1. DDoS attack 18 
Scenario 2. Web application attack 20 


Scenario 3. Ransomware attack 22 
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cyberthreats the world was facing In 2018. 


Of the threats cited in the report, the three chosen 
were: DDOS attack, web-based application attack, 
malware infection (ransomware), distributed by 
Y=) aloliave mm e)aliialialem=)aat-li-on lame) lsimWal=\\-m ve) al] gles= 
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any modern business. If the availability and 
Stability of company information resources is 
hampered in any way, it may cost the business 
its customers and lead to defamation and profit 
loss for its partners. 


For some cybercriminals, a DDoS attack is an 
attractive attack vector to pursue for financial 
extortion or to wage competitive warfare. 
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U in which the victim's system or service is 
overloaded/ flooded with requests to such 
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legitimate users. 


DY E-tag|eleik-vo Mm PY-valt-] Me) m<t-1 ad (ox-m (BD) Bley) Bice) 
mV, ol-o) mm DYosou-luk-lol aid at- lm i-meor-laq(-(omelelmel-jiale 
ate] ge (om ale ine) ol=) axe) mm aat-lilel(eleicme(=\Vslex erin 
different IP addresses attacking a target 
simultaneously. Oftentimes, the attacking 
devices are geographically dispersed. 


A DDOS attack can be purchased on the 
Darknet for as little as $50 per day,° but can 
vary upward depending on the intensity and 
complexity of the attack, as well as on the 
target profile itself, and how sophisticated the 
victim's protection Is. 


The power of DDoS attacks in recent years has 
reached such intensities that they have become 
a threat not only to individual organizations, but 
also to the telecommunications infrastructure 

of entire countries. Five years ago, peak DDoS 
attacks would not exceed the threshold of 
AT@]ORE}e)oysyan Kolera\mtalismalelanle\-lmaleloulaleltcrsiore 

to 1.7 Tops. As an example, an attack of such 
power can cause the overload of communication 
channels of several Eastern European countries, 
rendering the internet inaccessible in that region. 


DDoS attacks have become especially viable 
with the widespread use of mobile and loT 
(Internet of Things) devices. The loT Analytics 
report found that in 2017 this segment 


6. Makrushin, Denis, “The cost of launching a DDoS attack" 
Securelist, 23 March 2017. 
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of all devices with internet access’ 





$50 
per day 


— the starting price 
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7. lol Analytics, State of the lol 2018, August 2018. 


8. Makrushin, Denis, “The cost of launching a DDoS attack” 
Securelist, 23 March 2017. 
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devices connected to the internet — 5.9 billion 
out of 16.4 billion. By 2021, analysts predict an 
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connected to the internet.? 
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of DDoS attacks and their intensity. Typically, 
during the attack, cybercriminals break into and 
infect many loT devices then merge them with 
a botnet — a network of compromised devices 
running malicious software (malware). One 
method of infection is by means of standard 
logins and passwords available in openly 
accessible resources due to previous hack or 
default settings — unfortunately still too few 
people change factory default settings and 
data. This allows criminals to create large-scale 
botnets and at the same time increase the 
potential intensity of their attacks. As Akamai 
[<Yoralate)(ele|t=sm ele) alesne elem calcu aalessim ele) -1a10) 
DDoS attack using loT, recorded in 2018, 
reached a peak of 1.3 Tbps.'° 
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impact on the growth of attack firepower is 
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generation (4G) mobile networks to the fifth 
(5G) will increase the bandwidth per device. 
Compared to 4G networks, 5G networks 

are predicted to boost the average upload/ 
download speed about five times that of today’s 
capability, from 30 Mbits to 150 Mbits. A DDoS 
attack from many devices using 5G technology 
will allow hackers and cybercriminals to render 
almost any website on the internet inaccessible. 


Today, most organizations are not able to 
withstand large-scale DDoS attacks on their 
own, whose power Is expected to only increase 
in the future. 


As this type of threat is very real, questions arise 
around how to secure the sustainability of our 
digital economy. The problem is so critical that 
it has become self-evident that the only viable 

0) 0) {olan (one liaalialsiamitsmlan] ey-(elurs ism elosima\omelels1s)] 8) (= 
would require a joint effort. 


9. lol Analytics, State of the lol 2018, August 2018. 
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11.“Memcached-fueled 1.3 Tops attacks”, The Akamai Blog 
1 March 2018. 
12. Morales, Carlos, “NETSCOUT Arbor Confirms 


1.7 Tbps DDoS Attack; The Terabit Attack Era Is Upon 
OKs Nail RS 101010 My \aole)eiron \V/folnela Ae Miss 


Scenario 2. 
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attack 


Web applications are an integral part of the 
Internet ecosystem and enable b2b (business-to- 
business) and b2c (business-to-customer). The 
I\Viom Alto] galcimeits lism e)ge)(-1e1m foes] Smlalclalanerl aN 
2019 there were more than 1.5 billion websites in 
the world.'? With the web infrastructure, internet 
users and consumers can get almost any 
service without leaving their homes: they can 
transfer money, book a doctor's appointment, 
buy plane tickets or claim a certificate from 

a government agency. This makes life more 
convenient, and as a consequence users readily 
Share their personal and payment information 
that web applications require to provide paid 
services, share personal data to be delivered 
goods or receive gifts on their birthdays. 


At the same time, cybercriminals are 
(oxe)an|e)ce)anlisiialemaale)tomtate]amm le lOnOlOOMVi es) 
resources daily"* in pursuit of user personal 
Talie)anarelale)amaiallevaiisme]e)(el\mel-ere)nalialepaateln= 
and more valuable: having access to a bank 
account or payment card data allows them 

to siphon off other people's money, while 
access to personal data opens up unlimited 
possibilities for social engineering, blackmail 
and trade of such information. The organization 
Wi(e1tl a aly4xe O)’ar- exe) 00] ©) ce )anlisi-cemr=]0) 8) (ec Uelamiswclt 
risk as well: fines, penalties, legal disputes with 
customers and damage to reputation. 


The Open Web Application Security Project 
(ON VANS =) Rero)nalanlelaliovaare\comelele)iisiatcvemuarcie 
code injection has been the leading method 
of attacks on web applications since 2013.'° 
Embedding SQL code, or SQL Injection, is 
one of the varieties of such attacks aimed at 
narcialleleliclalale mci (omelcit~ley-Ws\ory 


13.“Total number of Websites”, Internet Live Stats. 


14. Internet Live Stats, Websites hacked today [Live 
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websites breached daily'® 
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Risk, 2017. 
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When a user wants to obtain some result 
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front web page. For example, they enter login 
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When an attacker interacts with the 
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the instruction “check login” may result in 
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account) — and, if such does not exist, reply 
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A well-prepared attack allows cybercriminals to 
send requests to the web application database, 
bypassing all protective measures, and to gain 
access to part or all the information stored there: 
users bank card details, passwords and phone 
numbers, their addresses and much more. 


lalcuel-lale[c1ssne)ins\@)] mala) crellle)alsws|eom alelmllaalitave 

to stealing confidential data. With modern 

ore) anlantelanelcit-ler- ou aalclalclel-iaalcislms\ycilciaals 
(MySQL, MS SQL, PostgreSQL, etc.), a user 

can not only access information stored in a 
web application, but also read or write files on 
the server, and even execute certain system 
commands. Therefore, today, with a successful 
SQL code injection attack, a cybercriminal has 
a chance to penetrate an organization's internal 
network and compromise not just a single 
database, but a whole series of internal systems 
that includes workstations, accounting/Tinancial 
systems, ERM or HR systems, Source code 
repositories, among others. 


This scenario was a perfect choice to be 
included in the line-up of exercises due to the 
prevalence and potential reach of SQL injections, 
as well as to the severity of their consequences. 


17. The Open Web Application Security Project, OWASP Top 


10 — 2017: The Ten Most Critical Web Application Security 
Risk, 2017. 
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In 2017, WannaCry, Petya, and NotPetya 

Rc lAISO)A AW elke nose) (e(=)anllesmce)cercremualcmlalt=igarelle)are] 
community, even those not directly involved 

in cybersecurity, to talk about ransomware 
Trojans. Once inside the system, this class of 
malware encrypts files and extorts a ransom to 
be paid before decrypting them. The average 

a lanlelelalmeitelinarcre mismanle)cemlar-lamcniele le has 


By 2018, the number of infections by traditional 
ransomware — aimed at obtaining financial 
benefits, and not just for the sake of causing 
damage — has decreased by more than half. 
However, these figures do not mean an actual 
decline in ransomware activity, but represent a 
o(=Yo1|Talou am tatomale|an]6\-1melmclatc\el. come) am alelhvileletc] 
users. The focus has begun to shift toward 
organizations which are seen by cybercriminals 
as potentially more profitable. 


Last year, organizations accounted for 81% of 
all ransomware victims, a 12% increase since 
2017.7° This is understandable as the value of 
ofeltc nce) mere)na)eyrlalicxomismanleloamalle|alcimtar-lamcelarcla 
o)gel Tate] aValalelhvalel6r-] mre lale mere) gele)e-i(cmuleillaatcecl es 
ready to give serious consideration to paying 
iec]atsyo)aalnce)melcre)] ©)al~ia) ale m-ialeme=rel-llalialepcleercsys 
to critical assets (data and systems). 


The change in focus of attacks is also explained 
by the fact that ransomware began to spread 
idalaelelelame)alisialiale mantel i (som mea ale) mismealcmaarelia 
olarelalat=/melmereanlanlelalier-iulelamlan-mere)aelelreli= 
environment, therefore organizations are more 
VU] [a\=les}0) (om obs) er-]aamanteliiialetsmearclamialel\ulel0re] 
users. 


19. Howell O'Neill, Patrick, “Ransomware demands now 
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pay up’, CyberScoop, 26 April 2017. 


20. Symantec, 2019 Internet Security Threat Report, 2019. 
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cybersecurity specialists 
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ransomware victims are 
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. Proofpoint, State of the Phish 2019 Report, 2019, p. 10. 
22. Symantec, 2019 Internet Security Threat Report, 2019. 


The low level of cyberliteracy of corporate staff 
plays into the hands of attackers. According 

to Sberbank Group statistics, about 16% of 

aa] 6)(@)Ver=soml@)|(@\Watalou|ial@llamcm elalisiallialem-laarcll— 
and 7% enter their corporate credentials on a 
phishing site or open a malicious attachment. 
il atcxsious|cswel ic lannlialemlaleller-lceleswmconerelanle)ce)aalisy> 
the resources of an entire company, one gullible 
employee is enough to open and set off a 
malicious software infection. 


ii atcmele)el0](-laiayme)m elalisialiaremisme)alhyae| ce) Walare ma 
study done by Proofpoint in 2018, surveyed 
cybersecurity specialists and found that 83% of 
them have encountered this attack — that is 7% 
more than in 2017.4 


What is to be taken from this? A couple 

of seconds of encryption can translate 

[alton alelate|x-velsme)mcalelelsy-lalelsme)mele)|clesmla 
damage, while such attack is relatively easy to 
Tan)e)tciaa\=ialim m@)mitalismecy-\elamlalicmsiercialc sO RW cls 
a conclusive choice for inclusion in the training 
exercises. 









23. BLZONE, Threat Zone'19: False sense of cybersecurity 
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Preparation 


timeline 
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Around 10 months separated the inception 
of Cyber Polygon from its actual fruition. 


In the fall and winter of 2018, the initial plans of the 
concept began to take shape. Over the next few 
months, we, together with all the parties involved, had 
worked out the technical infrastructure layout and 

the principles of conducting the attacks, taking Into 
account the limitation and wishes of the participants. 
In the leadup to Cyber Polygon, we found ourselves 

to be a whole month ahead of schedule and ready to 
launch the training there and then. 


Preparation 
timeline 


November 2018 


A decision to hold 
Cyber Polygon was made 


December 2018 


The training concept 
was developed 


18 January 2019 


The first online meeting 
with participants 














The concept for this exercise appeared in early 
autumn. Following a number of meetings and 
negotiations with several partners, it was confirmed 
by November that there was considerable interest in 
this initiative, and it was decided to start developing 
the training. 


The concept of the first Cyber Polygon training 

was based on the idea of developing international 
cooperation in countering digital threats. Convinced 
that the lack of practical cooperation hinders the 
successful fight against cybercrime, and the lack 

of data and mechanisms for transferring valuable 
experience reduces the effectiveness of response to 
cyberattacks in all countries of the world, the Cyber 
Polygon 2019 chose training for corporations, to 
interact and exchange information. 


During the first online meeting, potential participants 
were convened and the goals and objectives of 

the training were explained. The discussion also 
include emerging issues and gathering of participant 
feedback. 


The initial intention was to bring the training as 
close as possible to real conditions. To do this, it 
was planned to use the real technical infrastructure 
of the participants, which is already connected 

to their SOC (Security Operations Centre): the 

Blue Team (team defending against cyberattacks) 
could identify attacks and respond to incidents in 
real time, relying on existing business processes 

in their companies. Any negative consequences 
from the training attacks was ruled out due to the 
training being carried out under the organizer's Tull 
Supervision. However, all participants agreed that it 
was necessary to exclude even the slightest chance 
of affecting the production infrastructure of the 
business. 


As a result, it was decided to conduct Cyber Polygon 
in an isolated training cloud infrastructure. To assist 
the organizing team in this task, IBM Cloud was 
invited as technical partner for the exercise. 


15 February 2019 


Technical infrastructure design 
for the training was finalized 


27 April 2019 


Attack simulation scenarios 
were developed and approved 


20 May 2019 


The technical infrastructure 
deployed on IBM Cloud 


12 June 2019 


Demonstration of the 
infrastructure to participants 





Based on the results of several rounds of 
negotiations with potential participants, a complete 
picture of what the technical infrastructure of the 
Cyber Polygon should look like was put together. 


The isolated small-scale network architecture 
reflected most corporate networks and included 
several segments. The necessity to stay as close 

as possible to real infrastructure also influenced the 
choice of workstation software, servers, and security 
tools: the focus was put on those components that 
are often used in large corporations and stir up 
much interest among attackers. 


Three scenarios were chosen to be simulated in the 
exercise: DDoS attack, web-based application attack 
and ransomware infection. Organizations of virtually 
any size, industry and in any region are susceptible 
to these common types of attack. 


In developing the scenarios, the attack techniques 
were developed in such a way that would not 
automatically trigger security assets to block the 
attack, but would allow the Blue Team to analyze the 
security alert events. 


Initially, it took several days to deploy and configure 
from scratch all the necessary components for 

a first participant, but subsequently the entire 
deployment process was automated, thereby 
reducing time to just 30-minute deployment end-to- 
end. 


When first testing the DDoS attack scenario, it was 
found that malicious traffic was not delivered to the 
target. After troubleshooting the problem, it turned 
out that all IBM Cloud customers are protected from 
DDoS attacks by default. The system automatically 
detects network anomalies and blocks parasitic 
traffic on entry to the cloud. A specific setting was 
implemented to disable this protection solely for the 
training segment for the duration of the exercise. 


To avoid wasting time studying the infrastructure 

on the day of the event, a remote walk-through 

was demonstrated to all participants and the rules 
of conduct at Cyber Polygon were explained. This 
allowed to collect feedback and prepare answers to 
FAQ's in the instructions that each team received on 
the day of the training. 


19 June 2019 


Cyber Polygon 
Training Day 1 


21 June 2019 


Press briefing 
on Cyber Polygon results 


International Cybersecurity 
Congress 


12-13 November 2019 


Publication of the Cyber Polygon 
results report at the World 
Economic Forum Annual Meeting on 
Cybersecurity in Geneva 














The organizers of the training, invited speakers 

and experts, as well as the Red Team (team that is 
acting as cyberattacker) gathered at the Sberbank 
Security Operations Centre (SOC) in Moscow. The 
Blue Team members connected to the infrastructure 
remotely — they could stay updated on other teams 
results and listen to the host's commentary ona 
specially created online platform. The numerous 
viewers followed the event via live-stream and were 
able to follow the technical aspects — Red Team 
and Blue Team in action on-screen — as well as 

the presentation with lectures and interviews from 
invited experts. 


The training began at 12:00 Moscow time and lasted 
about 3.5 hours. 


The training was specifically planned to coincide 
with the dates of the International Cybersecurity 
Congress 2019, where the first results of the event 
could be immediately summarized during a press 
briefing session. The speakers were representatives 
of the participating organizations, as well as experts 
who supported the initiative. The briefing gathered 
a large number of journalists from general and 
specialized press/media and Congress participants. 


The final stage of the Cyber Polygon 2019 initiative 
is the publication of a report, which describes the 
experience of conducting the first training including 
lessons learned. 


The report is intented for broad readership, with 

or without technical background: specifically 

for top management, to be able to evaluate the 
effectiveness of such exercises and to familiarize 
themselves with the technology for exchanging data 
on cyberthreats, as well as for technical specialists 
who have the opportunity to learn something new 

in terms of mitigating cyberattacks and ultimately 
show interest in participating in a future Cyber 
Polygon exercise. 
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Blue Team infrastructure 


Red Team infrastructure 
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needed to create an Infrastructure resembling real 
conditions as close as possible which would allow 

for arbitrary attacks. In the run-up to the event the 
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Blue Team 
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each participant was divided into 5 segments, 
traditionally existing in any infrastructure of an 
o)getelaly4-lile)ar 


1. External segment that provided Internet 
access to active participants. 


2. User segment emulating workstations. 
Microsoft Windows PC1 and PC2 virtual 
machines were deployed here. 


3. De-Militarised Zone segment (DMZ), 
o(=Kc\[e]alcrom con alessimtal-me)els]aly4-18(e)aksu ele] e)i(e 
services (typically web servers). It deployed 
services that required access from the Internet. 


4. Server segment designed to host internal 
organization services (typically mid-tier and 
back-end servers). The following virtual 
machines were deployed here: 


Microsoft Active Directory-based directory 
service (Windows 2016); 


Microsoft Exchange-based mail server 
(Windows 2016); 


LAMP stack web server (AMP were deployed 
as docker containers). 


5. Control segment necessary for remote 
control of their dedicated infrastructure. A 
Microsoft JumpHost virtual machine based 
on Microsoft Windows was deployed for this 
purpose. 
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(0) comprehensive setup for web-server and 
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Linux — GNU Linux operating system; 
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system (DBMS); 
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When creating environment templates, special 
attention was paid to the deployment of 
virtual security devices. In particular, each 
TaNice)alaat=ialmarc\emealcmce)i(e\vilalemel=1e)(@)-1em-lale 
OLUsyrolaalisyeve mere) anlele)al=lalisy 
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- Firewall dividing the environment into 
segments; 


* Web Application Firewall, which protects web 
applications; 


- Email Security Gateway, which provides mail 
server security; 


- "Sandbox", providing additional in-depth 
elAINASISMOMMII osm] Aceh Zar-]anl(emsla\uicelalaaciale 


- VPN Gateway, which allows administrators 5 r 4 
to remotely connect to the management y 4 
segment. 
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0) 10) Ko) a at-]k=to m=] at-| \s-11-e) M=16 [=] ©) [ole] 0 =e) e) [-1el ae 
Cybersecurity experts use such systems 
to observe malware behavior in a safe and 
ifsXe) F-)u=1oM~Va\vdlgelalaal-vale 


In addition, most virtual security devices were 
integrated with the BI.ZONE ThreatVision 

data exchange platform. Through it, data was 
distributed across the devices, which made 

it possible to block attacks during a joint 
response to cyberthreats (the platform and its 
cello lamuarcmieclialiale mel ccmelorsieg] e\-cemlamelcir-llmiamials 
next two sections). 





The layout of each environment is presented in the figure below. 
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Management link (via Remote Access VPN) 
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Each participant received instructions with a 
detailed description of the infrastructure and 
sloNivmconere)alalcroimcomtat-mantclarclel-iaal-lalmcicielaai-iale 
as well as credentials for connecting to each 
[aligclsieauleutela-merolanlelelarciale 


mel atatciarale1lelasmiicallamearcmiccl ial eleMialiecisiuaulelielge 
were left to the discretion of the participants. 
iatc\/merole| (eM llaalimealciaalsci ioc (On O)comllalsitcli(cve 
security tools and given settings, or install 
additional security tools on virtual machines 
and change to custom settings. 


Red Team 
infrastructure 


The computing resources employed by the Red 
Team (simulating the attackers) were located 
separately on the Internet. They were mainly 
represented by traffic generators located in the 
cloud in 7 geographic locations: 


Ireland 


¢ Frankfurt 
Seoul 


* ~¢« Tokyo 
Mumbai 


¢ Singapore 


Each location had 2 virtual machines 

generating traffic. This ensured backup and 

power amplification of DDoS attacks. For each 

traffic-generating virtual machine located syd ney 
in the provider cloud, there were 56 external ° 
IP addresses — in total, for 7 locations, this 

Summed up to 392 IP addresses with a /32 

mask to carry out attacks. The network of 

traffic generators was able to utilize up to 

275 Gbps of bandwidth or provide up to 

294,000 transactions per second for an HTTP 

Flood. The traffic generators were able develop 

any stress attack on a network protocol or 

application with the power equivalent to a 

botnet of 400,000 nodes. In total, the network 

of traffic generators produced 105 different 

types of traffic at the same time. 


All virtual machines were integrated by the main 
controller, which regulated the generators and 
collected the necessary metrics. Particular 
attention was paid to tracking of the legitimate 
generated traffic. Metrics of legitimate traffic 
gave an idea of the success of attacks and the 
State of the participants’ protection. 


= 


When designing DDoS attacks, we were faced with the fact 
that this kind of activity cannot be carried out in the cloud: 
our provider sent us two letters asking us to explain their 
intentions and stop further attempts to conduct DDoS. Part 
of the IP addresses allocated to us was blocked for traffic 
generation. 


We contacted the provider immediately explaining that 

it was Just a training designed to focus on response to 
cyberthreats and that we had all the intentions to comply 
with the company policy, which meant generating traffic 
within the permissible levels. Our addresses were unlocked, 
and we reduced the intensity of attacks, while maintaining 
functionality. 


Member of the Red Team 
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team was to compare the effectiveness of tackling 
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Such platforms help to work with Threat 
Intelligence — information about cyberthreats. 
ai alismlarellulel=cmlalce)saar-ldle)an-lelelelmualcuaar-lia 
threats to companies in a particular industry 
or region, the methods of attackers, signs of 
compromised infrastructure, and so on. 


It is effective to disseminate and exchange 
Olean alce)saarclelelansyialercuaar-la\aen'ze\-1celslaaliarcls 
focus on specific industries and types of 
attacks and rarely change tactics and tools. It 
is highly likely that an attack directed against 
a certain company from a particular industry 
iCelel-\ mers] an Ol-me||tcreilcie me lel-llalsiaro ms lanli (ele 
company tomorrow. If the first company 
(oxo) | [cre1tswr- ale mciareleorsmeatomalielaaar-lilelam-lelelulmuals 
attack, it will be easier for the following victims 
to identify and block the actions of attackers. 
TIP-class products help to simplify, automate 
and bring the exchange of such data to new 
sere] alesy 


The main unit of data presentation in the 

lo) 14Ko)aanm(omtalom [ale|(er-(@)ecme) mere )aale)ce)anlisxom(rel@)) 
This is an object observed in the infrastructure, 
which is likely to indicate a compromise of 
idalcmexe)an)erela\vaals1aw ies emelele1ame)s)(-101ksm ale [6 (el= 
malware signatures, hash sums of malicious 
Tiles, botnet command server addresses, 
olalisyalialemelo)aareliatsme)maar-l\weclccmelcicaleleleceya 
websites, and so on. Indicators of compromise 
are used for early detection of attempts to 
penetrate computer systems and an initial 
assessment of a possible threat. And it was 
specifically the indicators of Compromise 

that the participants of Cyber Polygon were 
eliaaliale cons <olarelale(mWialcamyiVela <ialemealcolelelamuale 
scenarios for joint response to cyberattacks. 


Threat Intelligence platforms are suitable for 
Slarelalale mi avie)anarelice)amereliamiicallanclamialelelsiiay 
and beyond. The infrastructures of large 
corporations are similar in structure regardless 
of their line of business, so information about 
the techniques used by cybercriminals can be 
useful not only for a particular industry where 





Most cyberthreats 


arerelevant to 
several industries 
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such techniques were detected but can serve 
more broadly across the spectrum. The Cyber 
melNe(o)amieelialialeme(<iaale)alsiuecliccemtarolmialomsy-]aals 
threats are often relevant for different industries, 
and the cross-sectoral and international 
exchange of data levels contribute significantly 
to counter them more effectively. 


Cyber Polygon revealed only a small portion 

of the ultimate capabilities of data exchange 
platforms. In reality, with access to such 
platforms, the security specialists can perform 
the following in automated and real-time 
modes: 


receive up-to-date verified information on 
cyberthreats; 


choose the most relevant data to regularly 
gale)alice)m e)sle)ainvmealgcrelacy 


visualize the interrelations between objects 
for successful incident investigation; 


increase security system potential and 

effectively configure correlation rules for 

SIEM (Security Information and Event 

IW/Felatele[crnalcral9) | 


visualize trends in attack methods and yr A 
directions and develop a reasonable counter ’ At 
Strategy. 


DJUlalatemdarcmucclialialepmialciacmWiclswcmer(crlm ecalcilt 
gain when the above-mentioned attack 
information was shared, and even organizations 
that failed to detect or did not have the capacity 
to devise the full scope of the attack, could 
protect themselves quicker by using the shared 
favie)aaatclelelamy-Valelial-imrclenys-lalt-\e(-muismelhva(el|alemealc 
problem across the connected parties so as 

to increase investigation efficiency and faster 
build response mechanism. This is how data 
exchange should be optimized in real life by 
pooling resources, knowledge and designing 
ro) [Ui elo)arsmealgelele|ar-mi-lcel= merolanlanlelalinymel-ae)ale 
the organization's limited resources capabilities. 
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market. But the scope of the exercises was somewhat 
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Cyber Polygon 
training flow 


Scenario 1. DDoS attack 
Scenario 2. Web application attack 


Scenario 3. Ransomware attack 
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Cyber Polygon 
training flow 


Each scenario was executed twice: 


First round without using the BI.ZONE 
ThreatVision data exchange platform — each 
participant had to identify and mitigate the 
attack on their own. 


To stop the attack, the Blue Teams needed 

to apply a security policy on the necessary 
protection tool that would block IP addresses, 
files with a specific checksum or other 
indicators of compromise that distinguish a 
particular attack. The task was considered 
completed when the participant uploaded the 
correct loC in the team's personal account on 
the site cyberpolygon.com; 


In order to keep the situation as close 
as possible to real-life, the attacks were 
obfuscated by a stream of legitimate traffic 


that was also created by the traffic generator. 


The duration of each scenario was set to last 


1 hour to accommodate two rounds of the 
scenario as described above. 


The duration of each round lasted 30 minutes, 


regardless of the results and success. 


Each 
scenario — 
2 rounds 


Second round introduced the BI.ZONE 
ThreatVision data exchange platform. 


In this round, the teams submitted their 

loCs to the BI.ZONE ThreatVision platform 
(cyberpolygon.gti.bi.zone). The attack was 
considered mitigated when the first participant 
to identify and block the attack loaded the 
correct loC into the platform. Following 

this, the uploaded loCs were automatically 
transferred to the protection assets of the 
other participants and the attack ceased for 
everybody. 


Training participants 
9 3. Participants uploads 

| <—. eee indicators of Compromise (loCs) 

2. One of the participants > 

detects and migrates 


the attack BLZONE 


1. Attack on infrastructure 






Infrastructure 


4. Indicators of Compromise 
are automatically downloaded 
by other participants 


Security 
solutions 





5. The attack is automatically migrated 
by all other participants 


ThreatVision 


Scenario 1. 
DDoS attack 


Red Team 


Training attacks began when the Red Team 
launched an HTTP flood type DDoS attack on 
the participants’ web applications. This type of 
DDoS attack is the most difficult to mitigate: 
the behavior of bots mimics normal user 
interaction on the web service being attacked, 
So not all protection tools are able to detect and 
block such traffic. The main goal of the HTTP 
flood attack is to make the target service of the 
victim unavailable: the need to process a large 
number of requests exhausts the computing 
resources of the server, and it loses the ability 
to respond to any request whether legitimate or 
not. 


At the same time, the Red Team carried out 

a DDOS attack of the NTP (Network Time 
Protocol) flood type (GET_MONLIST, CVE- 
2013-5211): with it, a small request to the 
server asking for the exact time generates a 
significantly larger response (up to 5500 times 
in this case) and fills the available bandwidth 
of the server. This was supposed to distract 
the attention of the Blue Team from the HTTP 
flood attack. 


In addition, the Red Team imitated the activity 
of legitimate users, which accessed the site's 
main page. 


HTTP flood attack patterns (1st run): 


Name Value 

Transport TCP 

Source port Random 

Destination port 80 

Length 302 bytes 
HTTP 

Method GET 

URI / 

Version HTTP/1.1 

HOST Victim-%n or victim IP 

User-Agent Sapari/11601.7.7 


Legitimate user pattern (1st round): 


Name Value 
Transport TCP 
Source port Random 
Destination port 80 
Length 206 bytes 
HTTP 
Method GET 
URI / 
Version HTTP/1.1 
HOST User-%n 
User-Agent Darwin/15.6.0 (x86_64) 


In the second round, the Red Team used new 
HTTP flood attack patterns and legitimate 
user traffic so that participants had to analyze 
the traffic from scratch. The NTP flood 
pattern remained the same as was the case 
for the rest of the traffic generation tasks, but 
the IP addresses were changed so that the 
configurations of the protection assets made 
by the participants did not affect the second 
round of the attacks. 


NTP flood attack patterns (1st run): 


Name Value 

Transport UDP 

Source port 123 

Destination port 123 

Length 194-482 bytes 

NTP 

Request code MON_GETLIST_1(42) 

Monlist item: Random 
Random 
Random 
Random 


HTTP flood attack patterns (2nd round): Legitimate user pattern (2nd round): 


Name Value Name 
Transport TCP Transport 
Source port Random Source port 
Destination port 80 Destination port 
Length 302 bytes Length 
HTTP 

Method GET Method 

URI / URI 
Version HTTP/1.1 Version 
HOST Victim-%n or victim IP HOST 
User-Agent Chroma/55 User-Agent 
Blue Team 


The easiest way to mitigate the attack was with 
the help of a tool designed for detection of and 
protection from DDoS attacks, which was part 
of a predefined set of protection tools for each 
training environment. The control interface of 
the AntiDDoS system displayed traffic statistics 
in real time, and there was a sharp surge 
associated with spurious incoming traffic of 
the DDoS attack. 


In spurious requests, participants were required 
to identify the unique value of the User-Agent, 
which the botnet used for the DDoS attack. 
When a participant specified the desired 

value in the settings of the AntiDDoS system 
countermeasures, the system blocked the 
attack and the web server became operational. 


When the scenario was re-run, participants 
were asked to upload the User-Agent value 
to the BI.ZONE ThreatVision data exchange 
platform. From there, this value was 
automatically transferred to the AntiDDoS 
systems of all teams, which made It possible 
to block the attack immediately in all 
infrastructures. 


As a result, the average attack active time 
decreased by more than three times (the exact 
values are presented in the "Results" section). 
Moreover, the attack was mitigated by the Blue 
Teams that could not cope with the task in the 
allotted time during the first run of the scenario. 


Value 

UDP 

Random 

80 

206 bytes 
HTTP 

GET 

/ 

HTTP/1.1 

User-%n 


CFNetwork/760.6.3 


= 


The BI.ZONE team often partakes In preparing attacks for 
the CTF competitions and for security analysis projects for 
our clients. But in this case, we were faced with the task of 
ensuring maximum compliance with typical SOC problems. 


This was a new challenge, which | dare say was accomplished 
in stride. 


Member of the Red Team 


Scenario 2. 
Web application 
attack 


Red Team 


The target for the Red Team in the second 
scenario was a web application that each of 
the organizations had running on one of their 
servers and accessible from the Internet. 


The Red Team emulated the standard actions of 
attackers. At the beginning of the scenario, the 
attacking team scanned the web application by 
brute-forcing over the directory names and the 
files it might use. This helped cybercriminals to 
determine which CMS (Content Management 
System) the site was running on and its version. 
The CMS version helped to gauge whether 

or not the application was vulnerable to SQL 
injection or not. 


Modern security tools can identify 
directory scans and determine the source 
of the scan, and one of these tools — Web 
Application Firewall (WAF) — was installed 
in each training environment. If it were 
only the Red Team doing the scanning, 
the defending teams would have quickly 
figured out the IP address and blocked it 
with the aid of WAF. Therefore, in addition 
to the real scan, we also brute-forced the 
CMS directories from hundreds of other IP 
addresses belonging to traffic generators. 
Additionally, the generators created 
legitimate user traffic to the site. With all 
these factors coming into play it proved 
very difficult to tell by looking at the WAF 
monitoring page, who is an actual attacker 
carrying out an attack on the CMS. 


Once it was “determined” via the scan that 
the participants applications were vulnerable 
to SQL injection, the Red Team proceeded 

to select the parameters of the SQL query. 
The selection allowed attackers to figure out 
the structure of the database (list of tables, 
column names for each of the tables). Having 


~1/000 


requests sent by the Red 

Team to all participating 
infrastructures in the course of 
the scenarios. 


obtained the information about the structure 
of the database, attackers could send specially 
generated queries to the web application, in 
response to which the application would return 
leaked contents of the database tables. 


Acting in this way, the Red Team gained access 
to the contents of all the database tables 
unless their actions were stopped by the Blue 
Teams. Similarly, real cybercriminals can collect 
sensitive information stored by the application. 


When the scenario was run the second time, 
the attack was carried out from another 
workstation, leaving the participants to figure 
out the new attacker's IP address. 


= 


In this scenario, we did what penetration testing experts 
engage In every day. 


First, we went through the participants' web applications 
using Dirsearch. This utility helps to find endpoints - files and 
directories of web services. The most suspicious endpoints 
were checked by fuzzing, which involves feeding them 
incorrect and unexpected data. Initially we noticed SQL 
errors in the responses, started digging deeper — found an 
SQL Injection. And it was all a matter of technique after that: 
preparing the requests, assembling the database structure 
and initiating dumping, downloading the tables one by one. 


The difficulty was to not have yourself compromised ahead 
of time. We understood that the Blue Team was monitoring 
all traffic, so we had to reduce our activity. Because of this, 
the preparation and the attack itself dragged on, alas, we 
still failed to slip by unnoticed. In time, all teams ended up 
repelling our attack. 


Member of the Red Team 


Blue Team 


This attack had to be mitigated with the help 

of the already mentioned WAF, which was 
included in the predefined set of security tools 
of each training environment. Through the WAF 
dashboard, it was necessary to figure out the IP 
address of the attacking device — during both, 
brute-forcing of directories and during SQL 
injection attempts — and add the IP to the list of 
blocked addresses on the firewall. 


In the repeat run of the scenario, the identified 
IP address had to be saved in the BI.ZONE 
ThreatVision platform, from where it was 
automatically loaded into the firewalls of all 
participants. 


As a result, the average attack response time 
was nearly 7 times faster compared to the first 
run of the scenario (exact values are presented 
in the "Results" section). At the same time, the 
reduction of response time led to the fact that 
the attacks were thwarted during the scanning 
of directories in the training environments — a 
real attacker would not even have time to begin 
making queries to the application database. 
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hosts simultaneously 
generated "white noise" and 
imitated normal user activity 
to obfuscate the detection of 
the Red Team 


Scenario 3. 
Ransomware 
attack 


Red Team 


In the final scenario, the Red Team sent a 
phishing email to one of the users from each 
Blue Team. It contained a password-protected 
archive with a document in .doc format 
harbouring a malicious macro. When the 
document was opened, it saved a downloader 
to the C drive, which after a specified delay time 
downloaded and launched a malicious file — an 
encryption program. 


i) A real phishing attack always hits the most 
vulnerable user who is not expecting to 
be tricked and readily opens attachments 
or performs other actions proposed by 
an attacker. There were no ordinary users 
in this training, therefore, to emulate the 
infection, we recommended that Blue 
Team participants open the attachments 
themselves. 


Blue Team 


To complete the task of the scenario, the 
participants had to find the md5 hashes of 
three files: 


1. MSWord document from a phishing email. 


2. The downloader file that was created on 
the C drive by the malicious document. 


3. The malicious file that was downloaded 
and executed by the downloader 
automatically. 


To get md5 hashes, one needed to get a 
sample of each Tile. The MS Word document 
and the downloader file were available to each 
participant, but the third file — the encryption 
program itself — was downloaded and 
launched only at the end of the time allotted for 
the response. The corresponding warning “your 
files are encrypted” symbolized that the team 
could not complete the task. 


Most loCs can be 
found through 
behavioural analysis 
of the samples being 
inspected 


To successfully obtain the malicious file before 
the time ran out, the team had to extract the 
URL of the malware and download it without 
launching. The URL could be found in the 
memory of the downloader process. 


In the first round, only one participant's 
organization managed to find all three md5 
hashes in the allotted time. 


During the second round, participants saved 
the discovered md5 hashes to the BI.ZONE 
ThreatVision platform, from which they were 
loaded to the security systems of each training 
environment. After receiving the md5 hashes, 
the attack could be mitigated with the use 

of an antivirus software or an EDR (Endpoint 
Detection and Response) system, for example. 


During the training attack, all participants 
received phishing emails at the same time. If 
this was to happen in real life, the exchange 
of md5 hashes would have been ineffective: 
by the time someone shared the indicator of 
the malicious email, the email protection tool 
would have already allowed it through to the 
end-users. But in reality, attacks on various 
organizations are spread out over time, and 
with the help of loC exchange they can be 
repelled in their prime stages. 


In the second round, the incident response team 
of one of the organizations identified all 3 loCs 
(and thus protected all other organizations) faster 
than the other participants had managed to 
upload at least one IOC. 


Sending emails 
containing an archive 
with a password 

is one of the most 
common ways of 
bypassing security 
measures 


7 


Responding to security incidents Is my daily routine. Cyber 
Polygon allowed me to look at this process through the eyes 
of an attacker. 


It was very Interesting to observe how other specialists 
perform the so familiar task. One of the Blue Team 
participants agreed to install screen feed software, so all 
viewers could monitor the malware analysis in real time. | 
can’t recall another case when | would have seen a similar 
process live. 


It was great to have teams that could easily find all the loCs 
with a minimal set of tools at hand. 


Member of the Red Team 


Results 
and metrics 


Cyber Polygon. Anonymous representation of the 
teams In the table (organization 1, organization 2, etc) is 
intentional as the exercise was not for competition but 
for cooperation. Moreover, this avoids disclosing any 


Information which might be deemed sensitive by the 
participants. 


a The table below contains comprehensive results from 
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Round 1 Round 2 
loc loc 
loC submission | Length Attempts loc submission | Length Attempts 

time time 
Organization 1 1 12:52:15 22:15 2/10 O 0/10 
Organization 2 1 12:45:55 15:55 2/10 1 13:06:28 06:28 9/10 
Organization 3 0 0/10 0 0/10 
Organization 4 1 12:55:26 25:26 3/10 0 5/10 
Organization 5 1 12:57:41 27:41 3/10 O 4/10 


















































Round 1 Round 2 
loC loC 
loC submission | Length Attempts loc submission Length Attempts 

time time 
Organization 1 1 13:54:24 24:24 V/10 O 0/10 
Organization 2 1 13:39:49 09:49 10 0 0/10 
Organization 3 1 13:37:14 07:14 1/10 14:02:31 02:31 4/10 
Organization 4 1 13:45:34 15:34 1/10 0 o/10 
Organization 5 1 13:40:42 10:42 1/10 0 0/10 


























Round 1 


Round 2 
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loC submission | Length Attempts loc submission Length Attempts 
time time 
Organization 1 3/10 0 0/20 
Organization 2 0/20 1,2,3 15:08:43 07:43 11/20 
Organization 3 eae: 14:58:38 27:38 11/20 O 0/20 
Organization 4 7/20 O 0/20 
Organization 5 8/20 0 0/20 
































Conclusions 


The results of Cyber Polygon suggest the following conclusions: 


Training makes it quicker 


The second round of each scenario resulted in the participants taking 
considerably less time to detect and mitigate the attack compared 
to the fastest participants during the first round. This is partly due to 
the fact that after getting some practice in the first round, the teams 
better understood how to withstand the attacks. In the second 

round of the scenario, the only elements that were changed were 

the loC values, and not the attack logic itself, so the participants 
responded to the threat much faster. This confirms the effectiveness 
of practical training: teams improved their ability to mitigate attacks 
and immediately demonstrated progress all within a relatively short 
amount of time. 


Collaboration is the key 


Working with the data exchange platform yielded a remarkable 
decrease in the average time it took to respond to an attack. The 
best results from using the information sharing platform were 
obtained in the second scenario: compared to the first round of 
attacks on the web-based application, in the second round the 
response was 7 times faster. By exchanging data, the participants 
mitigated the attack in 2 minutes 31 seconds, as opposed to the 
longest independent response took 24 minutes 24 seconds in the 
first round — the difference between the indicators was almost 22 
minutes with a total duration of the scenario set to 30 minutes. 


Competencies differ — uniting 
them is a must 


In some cases, the joint efforts made it possible to mitigate even 
those attacks that would otherwise have been missed. Thus, 
organization 3 could not cope with the first scenario on its own. 
However, in the second launch, the use of the platform and the 
efforts of other participants were enough to protect the organization. 
In a real situation, this would have saved save a company from 
losses associated with its web resources being unavailable. 


Some threats are still almost irresistible 


The ransomweare infection turned out to be the most difficult 
scenario for the participants: only one company was able to mitigate 
the attack independently. Companies showed the best results in the 
web-based application attack. 


Differing levels of maturity of capabilities and competencies were 
observed among the participants, which reflects reality. For example, 
organization 2 coped best with the DDoS attack, and organization 3 
could not block it on its own. At the same time, organization 3 was 
the first to stop the attack on their web application and was the only 
one to successfully mitigate the ransomware infection in the first 
round of the scenario. 


In the real world, cooperation between these companies could be 
extremely effective: exercising best practices in such a situation 
helps to bridge the competency gap in each company, and actual 
data exchange — via the platform or otherwise, is increasing the 
chances of success in the fight against a real attack. 


Cyber Polygon is to become an annual event with the next one 
being planned for July 2020. Relying on the results gathered 

from the first training we hope to convince the global community 
about the efficiency of such exercises and demonstrate the 
process of global collaboration as a whole, thus attracting more 
international participants to exercise their cybersecurity capabilities 
and contribute to our common goal, which is to combat global 
cybercrime. 
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Up against everyone: 
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What are modern DDoS attacks capable of? N 
What is the source of such destructive power? N 


Oiat-lalelomuatouel-laals N 


What are modern 
BD) Dlojow- 148-104, < 
vor=] of=] 0) (=e) are 


DDoS attacks are an extremely popular tool 

to disrupt virtually any online business. Even a 
brief downtime of Internet resources translates 
TalCom (=) arsme) mn dalel0 lst] ale lone) mel@)|t-lesmlamlestsrorouel ale 
damages to reputation. 


il atcusyor-|(-me)me(orsyiauleis(o)ame)celele|almelan e)vmaalete(-1a0 
D)Blosouiswalelmliaaliccremcenarel\relel-]mere)aalerclaliorsy 
even those considered industry giants. With 
current network technologies, such attacks 
threaten large infrastructure providers and 
entire industries. For example, the gaming 
[alelUrsiiavmarclsm elo amiclelaleMWillanissielocme)i 
accessibility to Xbox Live and PlayStation 
Network services for two consecutive years, 
around the New Year celebrations.”° 


However, real problems begin when a country 
is attacked: government services portals, 
public transport system and mobile services 
cease to work. The Czech Republic has already 
experienced the consequences of such 
attacks.*’ For this to happen to other countries 
Sela) Warm aarclacclmelmlaalcy 


What is the source 
ro) mi Ueda me (=s-10 aU lead hY,= 
power? 


Ei atcuccr- eam ialoD)Dlevenelslanlouaal-la <clmione ce)iiare 
exponentially is simple. Over the past 5 years, 
the weapon of choice has been to conduct 
attacks using the amplification technique. 


During amplification, the attacker overloads the 
victim's resources using legitimate protocols 
that respond to a short request with a large 
packet of data. A typical example of such a 


26. “Kim Dotcom May Have Just Saved Holiday Gaming’ 
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protocol is the DNS (Domain Name Server) 
system: in response to a domain name request, 
it sends out a list of IP addresses and other 
reference systems. Another example is the 
NTP (Network Time Protocol) system, which 

is used to synchronize the computer's internal 
clocks. The packet coming from such a service 
ofo)altclialsmalelmelal\yatal-melelaacialmel-itcm-lalemtlaaicy 

but also a lot of other data, such as version 
numbers, polling interval, delays, source 
identifier, etc. 


An attacker finds a vulnerable server with the 
desired system and, using IP address spoofing, 
sends a request supposedly on behalf of the 
victim. The server replicates the response 
repeatedly and directs it to the target resource. 
As a result, the cybercriminal sends out small 
packets without any real strain on their channel, 
and the amplifier responds to the targeted 
website with volumes of information several 
times larger, until it completely paralyzes its 
(o)el-igelile)aisy 
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When we write a letter and indicate our 
lolol d=\-3-me) am Wal=m=) a\V-1 (6) ol = alee) a\-Mel al-1e1.<- Ke) 
see if we really live there. In fact, this is not 
the address of the sender, but the address 
to which we want to receive a response. 
Therefore, we can send a personal letter 

1m eo) a Ms.0) d.u-16] os=1e1 g] elm Koe- Ml aat-\el-P4lal=e-is) 

el inmmce) ar-Mmiai-)alemm\.t-1.4lalemaal-m-lal-llelehvaaia 
cyberspace this means receiving a response 
packet to the desired IP address. 


It is the amplification technique that helps in 
carrying out high-speed DDoS attacks. For a 
successful attack using a speed of a couple 
of terabits per second, a hacker will require a 
network with a bandwidth of only a few gigabits. 
Moreover, theoretically speaking, 1 byte sent 
by the attacker can increase the leverage of 
an attack by 126,237,332 times! Looking 

at this it becomes clear that the capabilities 
between the victims and the attackers are 
completely unequal. If we look at this in terms 
of a marathon, for every kilometer an attacker 
covers in the park, the targeted business has 


27. “Thieves in the night: Cyber-attack in the Czech Republic’ 
The Economist, 13 March 2013. 


28. According to measurements taken with Radar.Qrator.net. 


to journey from the Earth to the Sun just to 
pareliaiteliam er-\ecn 


Attack leverage — the ratio between 
1d al ==] = [ol @l a -s-{0] 0] gel=\-w- | ale md al=m e) ge) k-loidlo)al 
resources. 


Today, there are approximately 9 million 
vulnerable services that can be amplified 

on the Internet. Neither botnets nor serious 
lo)gele]eclanlaalialems).dlliswclkcmecve [el ccrem(OMelX-mial-ia0F 


Servers with vulnerable services are located all 
over the world (Fig. 1), and the attack is usually 
o)gel-laly4q1e mu sy alemelanle)ililcacmicolaameliaicicciall 
regions. The global distribution of the attack 
also makes it difficult to apply geographic 
filters. The power behind DDOS Is so great that 
the attack could easily spill over onto the entire 
infrastructure of providers associated with the 
victim. 





Fig. 1. Heat map of sources of amplification 
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We can change the rules of the game if we 

ale lele[cmel|mealcmerc] @r-18)][lU(xcmOmualonalellalcicialale 
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security and the development of Internet 
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exchange of information about new attack 
techniques and network vulnerabilities — this is 
what can bring our protection to a new level. 


We see a positive result of coordinated actions 
[a dalomercls\oR@)MlaloMD) Noms) VAc1(-]00 MED) NOm\- Smal 
first protocol used to organize amplified attacks 
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DNS amplifiers is decreasing (Fig. 2) due to 

the efforts of telecom operators: identifying 

and removing vulnerable resources from the 
network that are involved in amplified attacks, 
without the knowledge of their owners. 
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Fig. 2. Dynamics of DNS amplifiers 


In the case of another protocol — memcache 
— the result of coordinated action manifested 
itself in a matter of weeks. Memcache was 
used to carry out the most powerful attack 
in the history of the Internet — with an 
incoming traffic intensity of 1.7 Tops. Thanks 
to the prompt response of the professional 
community, we observed a sharp drop in the 
number of memcache amplifiers (Fig. 3): in 
just a month, the attack potential dropped 
from 1.7 Tbps to 200 Gbps. 
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Fig. 3. Dynamics of memcache amplifiers 


Such problems can be resolved in hours 
eclualcimtatclaMiic\o1,<oneleuaale)aluarswm malismerala 
become a reality if we have well-functioning 
Cro)aalanleial(ercie(elamcolel\syr-MUlalia(creM (cre lS)clahic 
framework used in all countries, more 
advanced protocols, infrastructure and 
technology, and most importantly — 
involvement from all parties: the business, the 
ale] lalar-1alale mere )aalaalelalinvarelalemeatcmsitcitce 


©) ero)Ules\ormtatomantqrevalclalsiaamcolmerelaaley-liiare 
(e}[e)ey~] 5B) Blokow-1ar-(e1,<oulsmalelmcyiaale)(cuclaremealelanlele 
is not to be expected either today or tomorrow. 
However, collaboration can be the key to the 
effective mitigation of modern Internet threats. 





Web application 
attacks: the past, 
present and future 





Andrew Petukhov, CEO of SolidLab 


The present: why web applications 
are vulnerable to attacks 
The future: which technology 


trends influence attacks 


I) 


Web applications store valuable data for attackers 
and provide a useful service to them. And most 
Importantly, web applications are the entry point to 
many organizations: a successful web attack could 
take a cybercriminal right into the internal network. 


Today we'll try to understand the present and the 
future of web attacks: 


Why are web applications vulnerable to 
cyberattacks; 


What can be done to reduce the number of 
vulnerabilities; 


Which trends can influence this; 
What does the future hold for us. 


We shall look at this through the examples of two 
types of attacks: 


- Injection attack — an attack targeting application 
parameters by embedding a code into the system; 


- Non-Injection attack — an attack not concerned 
with code embedding, but rather, in most 
cases, the exploit of vulnerabilities in the app 
authentication procedure. 


The present: why 
web applications 
are vulnerable to 
attacks 


Attacks on web applications do not happen 
out of nowhere — they are the result of 
vulnerabilities and deficiencies within web 
applications. 


The type and structure of web attacks is 
determined by: 


human flaws introduced by web application 
developers; 


deficiencies in functionality, development, 
web application configuration, and so on. 


In this article, we will talk about the first reason 
— the human factor at the development stage. 


Developers, like all people, strive to solve 
problems with minimal effort. If nothing 
bothers them, they will apply the Occam's razor 
approach to a certain application function. 
However, simple does not always mean safe. 


Consequently, vulnerabilities are bound 
to manifest themselves in the application 
productive environment, unless this is 
prevented by either: 


the framework and application architecture 
that will not allow incorrect coding, or 


the testing procedures, or what is also known 
as ‘quality assurance. 


Let us examine how these factors affect 
vulnerability of applications to Injection and 
Non-Injection attacks. 


Injection attacks 


The nature 
of Injection attacks 


Injection attacks arise due to the fact that the 
developer does not provide special processing 
(Sanitation) of untrusted data. 


Forming the logic and structure of the request 
into an external subsystem, the developer takes 
the constant part and adds to it the parametric, 
depending on the user. To link the parts, simple 
concatenation is used — that is gluing strings 
without additional protective measures. If a 
String containing a code written in the language 
of the request is passed as a parameter, its 
concatenation with the constant part will result 
in this string being embedded in the query and 
thereby changing it. As a result, the external 
user receives partial control over the structure 
of making requests to the external subsystem — 
to its database, for example. 


From the side of the observer it is easy to 
distinguish a legitimate request from a request 
associated with a web attack. 


Take, for example, the code for some news web 
page that is responsible for delivering the news 
selected by the user: 


Sid = $_GET["id"]; 


Squery = "SELECT * FROM news WHERE 
id=" + Sid; 


Parameter Sid — the news identifier — comes 
from the user in a GET request. 


The query Squery returns all fields (marked as *) 
from the news table for news with the user ID 
specified. 


With a normal request to the application, we 
see the standard value of the parameters. 
For example, a request for issuing news with 
identifier 14 will look like this: 


/index.php?id=14 


In case of web injection, we would see a 
clear syntactic anomaly. To implement the 
attack, the attacker will have to inject the 


corresponding language constructs — in 
this case, SQL — into the request, which will 
noticeably violate the type of request sent to 
the web application. 


For example, using a string such as this, an 
attacker can force the server to issue not only 
news with identifier 14, but also the identifier, 
name and password hash of the first user 
(LIMIT 1) in the users table: 


/index.php?id=14 UNION SELECT id, 
uname, hash FROM users LIMIT 1 


It is precisely this anomaly in the parameters 
of HT TP requests that serves as a hint for the 
protectors of the web application: the query 
language operators are a sign of an active 
attack on the service. 


i) The UNION operator allows to 
simultaneously produce two sets of data 
(tuple). In our case, these are news fields 
with identifier 14 and the information on 
the first user. 


Note that to use UNION it is necessary 

that the number of fields in the selection 
from the users and news tables match. An 
attacker does not initially know the number 
of fields in a sample from news. Therefore, 
it iterates over a different number of fields 


when querying users, until it gets the result. 


Suppose a news bulletin has three fields: 
identifier, headline, and text. Then a row 
with three fields in the query on the users 
table (id, uname and hash) will allow UNION 
to work. 


However, a real web application, in 
response to our request, would most 
likely show the news with id=14, yet the 
tuple from the users table would not have 
been rendered in HTML. This behavior 

is explained by the logic of the web 
application code: the developer expects to 
receive only one tuple from the database, 
the data from which will be used to create 
the HTML page. Accordingly, regardless of 
the size of the selection from the database, 
only the first line of the result will be 
displayed in HTML. 


This logic can be easily circumvented: it is 
enough for attackers to specify a knowingly 
non-existent news identifier, for example -1. 


There is definitely no news with id = -1in the 
database, so the HTML page will be built on 
the basis of a tuple from the users table: the 
username will be displayed as the heading 
of the news, and the password hash will be 
displayed as the body of the news. 


The types of code injection attacks are as 
numerous as there is a variety of query 
languages in an external system: 


- SQL Injection for SQL language (used when 
working with databases); 


- LDAP Injection for LDAP language (used to 
communicate with log services); 


- OS Command Injection — injection of 
an operating system command for an 
interpreted ‘bash’ language; 


- XSS for HTML: and JavaScript code, etc. 


How to reduce the 
number of Injection 
attack vulnerabilities 


The prevalence of vulnerabilities to Injection 
attacks is explained by the fact that it is much 
easier for developers to concatenate strings 
instead of more complex procedures for 
generating a request into an external subsystem. 
Concatenation is very natural: it occurs several 
times for every hundred lines of code. 


How can we avoid such mistakes? It would be 
convenient if the frameworks for creating web 
applications provided developers with tools that 
allowed to specify where the constant part and 
the parametric part were in the request. For 
some languages, such tools already exist: for 
example, prepared statements for working with 
SQL, or template engines for generating HTML 
pages. 


They are used as follows: the developer 
generates a request to the tool, where he 
indicates the parametric part, and then sets 
the value received from the user specifically for 
this parametric part. The tool ensures that the 
query structure, regardless of the value of the 
parametric part, remains unchanged. 


Non-Injection attacks 


The nature of Non- 
Injection attacks 


In essence, Non-Injection attacks are those not 
related to code injection, but this is easier to 
explain with an example. 


Imagine a web forum where any user can post 
and delete their comments under other posts. 
When deleting a comment, the user accesses 
the deletecomment.php module of the web 
application and passes the identifier of the 
desired comment there. 


Suppose a user leaves a comment with 
identifier 14, and now wants to delete it. This is 
what a legitimate deletion request would look 
like: 


/delete-comment.php?id=14 


And this is what the attack would look like 
if our user wanted to delete someone else's 
comment with identifier 16: 


/delete-comment.php?id=16 


This type of attack is called the Insecure Direct 
Object Reference. They are a special case 

of authorization errors: an attack becomes 
possible due to the lack of user access control 
to other people's objects in the application. 


It is important to note that the two queries are 
no different in terms of syntax, values, and 
parameter structure. Therefore, it is completely 
impossible for an external observer to detect 
such attacks, unless one completely models 
the logic of the protected application. 


How to reduce the 
number of Non-Injection 
attacks 


Avoiding authorization errors in application 
code Is, indeed, difficult. 


First of all, in order to avoid such vulnerabilities, 
the developer must remember to put an access 
control check on every data processing from 
the user. The more such processing points, the 
higher the likelihood that at the next stage the 
verification will be forgotten. A centralized and 
systemic implementation of the access control 
Subsystem can help here, but this happens very 
rarely. 


Secondly, most applications utilize a less 
expressive RBAC (Role-Based Access Control) 
model to formulate access control rules. Using 
RBAC leaves us far away from being able to 
implement all access control business rules. 
To compensate for the limitations of RBAC, 
developers have to write their own code where 
errors may creep in. 


the RBAC model is based on the creation 
of roles: manager, accountant, system 


0) The separation of access according to 


administrator, leader, etc. Each role is 
allowed to perform its own set of actions: 
Manager — confirm orders, accountant — 
pay bills, IT department employee — install 
software on computers. 


The inconvenience of RBAC is that new 
roles must be created to express complex 
business rules. For example, a company 
has several branches, and managers can 
confirm orders only at their respective 
branch. To share access according to the 
RBAC model, one will need the roles of 

“Branch Manager 1”, “Branch Manager 2” 
and separate rules for each case: “Branch 
Manager 1 can only confirm orders for 
Branch 1”, “Branch Manager 2 can confirm 
orders only for Branch 2" and so on. 


But most importantly, RBAC only expresses 
rules based on predefined properties. 


Thirdly, and most importantly — the framework 
on which the application is implemented cannot 
take on the task of access control. Procedures 
like a request to an external subsystem — with 
vulnerabilities to Injection attacks depending 
on their correct implementation — are routine 
and are described at the code level. But the 
tasks of access control are related to the 
Subject area of the application, and therefore 
are directly related to the business rules that 
the application automates. The framework 
does not know anything about them, which 
means that the developer will somehow have 
to independently specify access control rules in 
the code. 


For these reasons, in our opinion, authorization 
errors are not going anywhere anytime soon, 
despite the advances in development tools. 


The future: which 
technology trends 
influence attacks 


In the second part of the article, we will 
examine how the landscape of Injection and 
Non-Injection attacks can change in the near 
future. 


In part, this is determined by two trends that 
dictate changes in the field of web application 
development tools, that would prevent web 
developers from making mistakes. 


Firstly, the release cycle of applications is 
shortened. An application in a productive 
environment can change several times a day, 
and there is no way to fully test each release 
manually to make sure there are no flaws. 
This market demand is supported by rapid 
development techniques, agile development, 
which are reflected in the concept of CI/CD 
(Continuous Integration/Continuous Delivery 
and Deployment). 


Secondly, keeping pace with this trend, 
application architecture has changed from 
monolithic to microservice. Previously, the 
application was built as a whole, all the 


components and modules of which worked 
with a single base. With a microservice 
architecture, an application is built from 
modules that run as separate processes, 

work with their own databases, and can have 
separate servers. This architecture allows to 
create more flexible, more stable, more scalable 
applications, as well as replace specific 
components independently of others. 


Tools that support web application 
development have been following these trends. 
New programming languages have appeared 
that simplify the work of developers in these 
concepts, new frameworks and shared libraries. 


Let us see how all the above affected the 
structure of Injection and Non-Injection attacks. 


Injection attacks: 
evolution of tools 


Problems of the past 


Previously, as we have already mentioned, 

due to immaturity of the tools, the developers 
prepared a request to the external subsystem 
by concatenating the constant and parametric 
parts. This often led to an injection. Common 
types of attacks were SQL Injection, OS 
command Injection, XSS (Cross-Site Scripting), 
and the like. 


In the course of advancing development tools, 
the framework gradually relocated the field of 
responsibility from developers to its own: 


the appearance of the ORM concept to work 
with DBMS; 


programming technique with which one 
can organize two-way communications 
between database entities (records) and 
entities of object-oriented programming 
languages (objects). 


0) ORM (Object-Relational Mapping) is a 


Using ORM, developers need not 

think about how their programming 
language interacts with databases. 
ORM itself converts the objects into an 
understandable database format, and 
database records into objects familiar to 
the developer. 


Thus, the developer does not have to write 
monotonous SQL queries and access 

the database directly. This reduces the 
impact of the human factor, and ultimately 
improves application security. 


template engines appeared, both on the 
server side and on the client side, which 
no longer made it easy to simply allow a 
vulnerability which could lead to an XSS 
attack; 


WAF (Web Application Firewalls), an imposed 
security tool, appeared to protect web 
applications. Due to the fact that attacks 

of the Injection type demonstrate syntactic 
anomalies in HTTP requests, WAF managed 
these attacks quite effectively. 


Present solutions 


With the transition to microservice architecture, 
development tools in this framework have been 
taking on more and more routine operations. 
Developers are now far less likely to make a 
mistake. 


In most modern frameworks, the interaction 
between the client and the server can be built 
using the JSON protocol. At the same time, on 
the client side, JavaScript frameworks allow 

to safely add parameters received from the 
server side to the page. The most common of 
these frameworks are AngularJS and ReactJS. 
Cross-Site Request Forgery attack protection is 
included in the framework by default. 


In general, we can say that ‘safety by design’ is 
the concept of many modern frameworks. 


New threats 


Microservice architecture is associated not only 
with solutions, but also with new problems. 


So, a serious danger was an attack of the SSRF 
(Server-Side Request Forgery) class, which 
loudly declared itself three years ago. In this 
attack, an attacker can force the server to make 
a near arbitrary request to any backend service, 
any endpoint API (Application Programming 
Interface) that was previously inaccessible to it. 
As a result, an attacker can receive additional, 
often administrative functions from the 
targeted web application. 


Also, due to the new architecture, code injection 
attacks have become possible with requests 
that microservices communicate with each 
other. Microservices build HT TP requests to 
each other from the constant and parametric 
parts. If the parametric part of the request is 
based on user data that is not checked properly, 
then the attacker can manipulate the target 
HTTP request to the internal microservice. 

For example, an attacker is able to override 
parameters in a request, add custom 
parameters, or even send a request to another 
endpoint API. 


Finally, speaking about new threats, let us 
consider a rather funny class of vulnerabilities 


— Server-Side Template Injection. When there 


were tools for creating web page templates, 
there was also a language for creating these 
templates. And with it we saw an emergence 
of developers who form these patterns by 
concatenating trusted and untrusted data. 
This created a server-side pattern injection 
vulnerability and a corresponding class of 
attacks. The funny aspect of this is that the 
concept of concatenation turned out to be so 


‘natural to developers that even the means of 


the new frameworks could not eradicate bad 
habits. 


Future solutions 


As technology advances, the security 
characteristics of the microservice architecture 
are also expected to grow. Among other things, 
we can expect that: 


microservices will mutually authenticate 
and authorize each other. In this case, the 
consequences of possible SSRF attacks will 
be minimized; 


development tools will appear for 

building HT TP request creating between 
microservices that can safely handle various 
Tce on OSiiimeinieds: 


Non-Injection attacks: 
evolution of access 
control 


The past 


In monolithic applications, access control 
checks were dispersed throughout the code 
(Spaghetti style). Due to the number of checks 
in the code, there were many places where the 
developer could potentially leave a mistake. As 
a result, vulnerabilities of the Insecure Direct 
Object Reference class and related attacks 
were quite common. 


The present 


With the introduction of microservice 
architecture, the only things to change were the 
means of expressing access control rules and 
the means of managing these rules. And thus 
the concept of claims-based authorization and 
JSON Web Token (JWT) appeared and was 
adopted. 


Conceptually, nothing has changed: today there 
is no sufficiently widespread framework that 
would integrate the access control subsystem 
into the new architecture. WAFs are still unable 
to cope with the detection of Non-Injection 
attacks on such applications. 


The future 


In order to protect web applications from Non- 
Injection attacks we anticipate: 


the improvement of tools and, most 
importantly, methodological approach 
related to the integration of access control 
Subsystem into microservice architecture; 


the emergence of simpler tools that will allow 
developers to express access control rules 
through, for example, the ABAC (Attribute- 
Based Access Control) model. So, the access 
control subsystem can serve not only for the 
user protection, but also for safer interaction 
of microservices among themselves; 


The separation of access according to the 
ABAC model is based not on roles, as with 
RBAC, but on attributes. 


Let us take the example with RBAC: 

a company has several branches, and 
Managers can only confirm orders with in 
their branch. According to the ABAC model, 
this condition is described through three 
attributes: 


Subject.Duty = "Manager" 
Object.Type = "Order" 
Subject. Branch = Object. Branch 


This rule will work, no matter how many 
branches the company has, and their 
number does not need to be known in 
advance. 


When using the ABAC model, one does not 
need to introduce many roles, it is easier to 
understand the logic of the rules and easier 
to maintain them. Because of this, access 
sharing errors are less common. 


WAF development. The current situation 

is a serious Challenge for Web Application 
Firewalls, which are still weak at detecting 
Non-Injection attacks. That is why, among 
other things, Security Operations Centres 
(SOC) are gaining popularity: people are 
more effective at detecting such threats 
than firewalls. | would like the implemented 
security measures to unburden analysts of 
this task. 
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How to protect oneself against ransomware? 


What are the 
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Ransomware is a type of malware that encrypts 
data on the victim's computer and retains the 
contents for ransom. To regain access to Tiles, 
the victim has to pay to get the decryption 

key. Payment instructions often appear ina 
pop-up message on the victim's computer or 
are received via email. However, following the 
[atsidaule1dle)alsmelelocmarelme]el-leclaltcromtarclmlalone lors 
will eventually receive the key to restore their 
files. 


Recently, cybercriminals have been moving 
away from mass ransomweare attacks to 
targeted and potentially more profitable 
campaigns. Due to careful selection of the 
target, this type of attack becomes a more 
serious threat for companies. 


A recent cyberthreat analysis report by 
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Nearly three quarters of ransomware and other 
malware reaches its victims through targeted 
olalisialiaren (syel-velme)alicialiale) Mm Malewsickel co lanrell cmiarclt 
are aimed at a specific audience: for example, 
system administrators, graduates of a specific 
school or employees of a particular company. 


Malware is attached to the letter under 

the guise of an important attachment — a 
ololelanrsialenice)aamerelelaltcises-|all-tswromeoclelaalnre 
court order — or placed on a phishing website. 
In the latter case, the victim is lured to a 
malicious resource and prompted to download 
idalcmil(omear lee) altel asmantcliV\-1t- ea melm.clanle)(cncla 
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accountant at a company may be directed to an 


‘industry-relevant’ portal to save instructions on 
‘how to pay taxes under the new rules, starting 


next week .’ 


It so happens that a legitimate resource may also 
turn out to be a trap. Attackers can compromise 
a legitimate website and replace working 
cfolelelaaicialm(-aele)(-lcocmWiltamil(crsmere)airclialiare 
malicious macros. When an unsuspecting 
specialist opens such a document and confirms 
the execution of the macro, they will initiate 

the download and execution of an encryption 
software. 


aialou-1accleqcveal-laniomiSmiahyic] melelmuacmalelaaylamr-leilels 
and the lack of self-control when working with 
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ransomware attacks achieve their goal. 
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distributors of ransomware is relatively low. The 
following helps to simplify and reduce the cost 
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Off-the-Shelf Ransomware Tools. 
Cybercriminals acquire ready-made software 
o)amigelel lave el(-lace)santsmlamtat-mel-la-dalciar-lalemlalsirel| 
it on their own servers. 


Ransomware as a Service. Cybercriminals 
get a set of exploits with all that is necessary 
for an attack, and share the profit with the 
Supplier of the tool. 


Ransomware Affiliate Programs. 
Cybercriminals register as partners to these 
programs, gain access to the Ransomware 
as a Service model, and begin to distribute 
malware themselves. 


These methods largely copy well-known service 
models. This is not surprising: cybercriminals 
are actively learning from legitimate businesses. 


Vi Coad [a nt-mx=valem xem ey-)', 
up. So, why Is it so 
difficult to track 
down the criminals 
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payment conditions were employed in the most 
famous ransomware attacks: 


Petya, 
VAVelalarol@uaveluele 
Cerber, 

Locky, 

Fela) ere 
O1a/010,0.0,6 
Teslacrypt, 
Fsociety Locker. 


The ability to avoid being traced through 
iilate]alelrc] mugs] atsy- (eile) alsm ism alelmtal-me)al\atcrelsie)a 
why cryptocurrencies are popular among the 
instigators of such attacks. These methods are 
also appealing because of: 


quick transfer of funds. No need to try and 
sell the stolen information to capitalize on it — 
the victim pays directly to the attacker; 


Jian) e)icmaalearcidy4- te) amO@lamialcne)aicmal-lalemat-iic 
are no intermediaries and illegal transfers 
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it is easy to convert the received funds into 
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established ecosystem. Cryptocurrency Is 
widely supported in the affiliate programs 
and models of Ransomware as a Service. 


How to protect 
oneself against 
ransomware? 
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effective ones are integrated systems that 
make it possible to exchange information about 
threats and receive it from various sources 
using Threat Intelligence tools, and also to 

use the capabilities of machine learning, Al 

and cloud services to instantly respond to a 
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But technical means of protection alone are 
not enough. |In order to successfully counteract 
ransomware attacks, you need to invest in 
Staff training and infuse them with the skills 
ce [Ul neve (OM eld aviidamlarere/aaliacemialceaaar-iuela 
Safely; provide examples of fraudulent emails 
and compromised websites and explain how to 
distinguish them from legitimate ones. Regular 
cyber trainings with controlled distribution of 
malicious emails help to increase the user's 
resilience to external threats. 
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Topic background 

Threat Intelligence story and market proposition 
Types of TI 

Threat Intelligence recipe 


Future trends 


I) 


We are living in possibly the most interesting but 
simultaneously in the most dangerous time in the 
history of mankind. 


On the one hand, this is the era of high technologies, 
when the number of devices connected to the 
Internet amounts to billlons: smart cities and cars, the 
Internet of Things, clouds and cryptocurrencies. 


On the other hand, this is the era of countless 
problems that we could not even have imagined 
before: targeted attacks that can bypass even 

the most advanced security solutions; encryption 
software paralysing hospitals and even cities; leakage 
of confidential information revealing digital profiles of 
citizens. 


The concept of Threat Intelligence (Tl) has emerged in 
the field of cybersecurity as a response to new threats 
that are dynamically changing and becoming more 
complex. We will examine what lurks behind these 
words and what the market Is ready to offer us In 2019. 


Topic background 


Over half of the managing directors interviewed 
for the Cisco 2018 Security Capabilities 
Benchmark Study’? experience problems with 
handling security events. At the same time, 
44% of the events are simply ignored and not 
investigated. 


These figures are an indicator of a serious 
problem: in such a situation, a compromise of 
the infrastructure may go unnoticed for years. 


Along with ineffective handling of security 
events, most organizations face the following 
difficulties: 


Lack of a comprehensive threat overview, 
impeding efficient Security Program 
Development; 


Poor prioritization of security alerts coming 
from many security technologies; 


Undiscovered threats lurking within the 
organization; 

Inefficient incident response, leading to high 
recovery costs. 


One of the main tools that helps to resolve 
these problems is information about threats, or 
Threat Intelligence. 


Threat Intelligence 
story and market 
proposition 


The Threat Intelligence (T1) market has been 
recently formed. If you ask 10 cybersecurity 
experts for a definition of Tl, you can get 10 
completely different answers. However, T| 
has already passed important developmental 
stages. 


In 2013, the research and consulting company 


Gartner first described what this phrase means: 


Threat Intelligence is evidence-based 
knowledge, including context, mechanisms, 
indicators, implications and actionable advice, 
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about an existing or emerging menace or 
hazard to assets that can be used to inform 
decisions regarding the subject's response to 
that menace or hazard. 


But at that time chaos reigned the market a 
well-known incident detection and response 
researcher and specialist David Bianco wrote: 


‘Intelligence’ is a buzzword that can mean 


anything you want it to mean. 


Where are we in 6 years? The market has 
transformed, becoming understandable and 
Standardized. Many aggregators and startups 
have emerged, and this is one of the most 
important indicators of the maturation of 

any market. The number of jobs in the TI, on 
LinkedIn alone, is about 9,000. 


Today, Threat Intelligence is a key part of 
operational activities in the security of a 
modern organization, from monitoring 

and detecting threats to Threat Hunting 

and responding to cyber incidents, from 
managing risks and vulnerabilities to raising 
management's awareness of the current 
cyberthreats landscape. 


Threat Hunting, or proactive threat search. 

0) Is the search for complex threats that 
otherwise would be missed by protective 
solutions. It is based on the understanding 
that there is no single solution to being 
secure from all threats — the most 
advanced ones can be hidden within the 
infrastructure for months, and remain there 
undetected without focused efforts of 
analysts. 


Types of TI 


Analytical agencies (Forrester, IDS, Gartner) 
have put together a vision of the types of Threat 
Intelligence available for use: 


Strategic — catered mainly to the decision 
makers, allowing them to assess the risks 
and devise a cybersecurity strategy (trend 
reviews, annual reports, personalized 
information); 


operational — intended for daily use by 
analysts in the framework of protecting the 
infrastructure, investigating incidents and 
similar tasks (researching specific attacks, 
groups, information about security solutions, 
etc.); 


tactical — used in Threat Hunting and in 
building security systems (methodology — 
Tactics, Techniques & Procedures employed 
by criminals, as well as samples and 
configuration files of malicious software); 


technical — for the most part it is designed 
to be used in monitoring and security tools 
(large volumes of raw machine readable 
information, streams of indicators of 
compromise, correlation rules). 


It is worth noting another type of Threat 
Intelligence — verbal communication. Whether 
it is a conversation in a hotel bar after the 
conference or a discussion on the sidelines of 
a forum, people are involved in the exchange of 
information, and this is very important. 


This type of TI is jokingly referred to as Beer 
Intelligence. Despite the frivolous name, 

this information is in demand. ‘Request 

for information’ or ‘Ask the analyst’ are the 
services which are actively being promoted 

and in-demand on the market. This allows the 
employees of organizations to turn to experts in 
a time of need. 


Threat Intelligence 
recipe 


The creation of the Threat Intelligence 
framework within the organization is a rather 
complicated task. Already at the first stages the 
company will face such problems as: 


overabundance of data sources — they need 
to be verified and evaluated in order to select 
the suitable ones; 


overabundance of information — relevant 
data will have to be combed out from the 
information regarding other sectors and 
regions; 


data formats are different — they must be 
unified before they can be used. 


When a company begins to apply data, it might 
discover that: 


plenitude of indicators of compromise leads 
to i) false positives and ii) SIEM overload 

at the initial stage of integration of Threat 
Intelligence into monitoring systems; 


the number of events in the infrastructure Is 
growing uncontrollably, and the monitoring 
service does not have time to study each 
event (as indicated in the Cisco study — 44% 
of events are ignored and not investigated). 


How to make Threat Intelligence less time- 
consuming? 


The right recipe for using TI involves three main 
Sieps. 


1. Acquire — obtaining Threat Intelligence from 
internal and external sources. 


2. Aggregate — storage, processing and 
preparation of data for further use by 
analysts or by automated protective 
solutions. 


3. Action — personal use of TI. 


To achieve a good result in each of the three 
Stages, it is very important to choose the right 
data sources. In our opinion, the main criteria 
for choosing a provider should include: 


intelligence with a global reach, providing the 
broadest attack visibility; 


a provider with a track record in spotting new 
threats early; 


context-rich, immediately actionable 
intelligence; 


delivery formats and mechanisms that 
allow easy integration into existing security 
controls. 


So, where to begin? The easiest way is to 
switch to downloading external T| data 
(machine readable information) into monitoring 
systems such as SIEM. Even one specialist 
responsible for Threat Intelligence is able 

to build an initial framework that will allow 

the future use of Threat Intelligence in all 
cybersecurity processes: from basic monitoring 
to Threat Hunting within the third line of the 
security Operations Centre. 


Future trends 


The Threat Intelligence ecosystem is growing 
rapidly. It is expected that the size of the TI 
market will exceed 10 billion US dollars by 2024, 
and the number of players will but grow. 


Among the main market trends are the 
following: 


Unification & Automatization. It is becoming 
increasingly difficult for organizations to 
cope with the flow of inbound information. 
Automation of processing and unification of 
data formats should help to cope with this 
task. 


Tailored information. The goal of vendors is 
to provide information relevant to a particular 
customer. Users will be able to configure 

the data flow to receive information about a 
specific company, industry or region. 


Information exchange. The Threat 
Intelligence market was born out of the 
exchange of data between companies. 
As an example of such an exchange, 
there is a financial and state Computer 
Emergency Response Team — CERT, 


31. MITRE ATT&CK knowledge base, The MITRE Corporation. 


which quickly informs companies about 
ongoing attacks; another example is 

open systems for exchanging information 
between cybersecurity experts. The need 
for collaboration to protect oneself against 
cyberthreats is being more and more 
recognized, and the rate of information 
exchange will only increase. 


Digital risk protection. Threat Intelligence 

is becoming part of risk management 

when addressing brand protection as a 
whole. Using TI, it will be possible to track 
down information about leaks, photos of 
workstations on social networks, discussions 
and other data which could be used for 
building a risk management process. 


Business decision support. Today, 
information from analytical studies and 
reviews of the global threat landscape 

helps managers refine their strategies and 
change the security framework. This trend is 
expected to gain more traction. 


Simplification. Strategic and tactical T| 
must be more accessible and easier to 
understand. One of the most popular 
directions for developing this trend in the 
last few years has been the MITRE AT T&CK 
Framework.*! This is a knowledge base on 
the tactics and techniques of cybercriminals, 
relying on real attack data. Many vendors 

try to follow the classification created 

by MITRE. De facto AT T&CK Framework 

is becoming the industry standard for 
describing malpractices — the same process 
we observed, when the OpenlOC or STIX 
and TAXII formats were used to transmit 
information about threats. 


Protecting a modern organization or even an 
entire country requires new approaches to 
cybersecurity. Threat Intelligence is not the 
silver bullet and cannot solve all the problems, 
but it does allow to effectively move towards a 
modern multi-level security system. 


, 


Takealai-\\ 





Interview with Bruno Halopeau, 10 
Head of Cyber Resilience, Centre for Cybersecurity, 


VAV(o) a (0 kere) ale) pallom melaelaa 


Interview with Craig Jones, 86 


Cybercrime Director, INTERPOL 


Interview with Menny Barzilay 93 


Cybersecurity expert and strategic adviser 


Interview with 






Bruno 
Halopeau 


Head of Cyber Resilience, 
Centre for Cybersecurity, 
World Economic Forum 


Menny 


Bruno, you represent the World Economic 
Forum Centre for Cybersecurity. It is one 

of the most promising global cybersecurity 
projects that gathers a wide range of partners 
from different countries and industries. Could 
you tell us a little more about the Centre and 
what you do there? 


Bruno 


First of all, cybersecurity is a major issue in this 
world. The subject has been underestimated, 

not given due consideration for far too long. It’s 
keeping me up at night and it should be keeping 
you and any responsible leader up at night, too. 


Let me emphasize one point — cybersecurity 
is such a complex challenge that no one today 
has the capacity to respond to cybersecurity 
issues on their own. Its collective implications 
need a global approach. 


Throughout its nearly 50 years of activity, 

the World Economic Forum has learned to 
acknowledge the opinions of, and to cooperate 
with its members and partners. Hence the 
Forum established the Centre for Cybersecurity, 
which was launched at the Annual Meeting in 
Davos, Switzerland, in January 2018. 


We have been developing and improving the 
Centre, its activities and platform for some 18 
months, applying the Forum approach by: 


Bringing unique solutions to global problems 
— providing an unparalleled discussion 

Space and offering innovative solutions to 

challenges that cannot be solved elsewhere; 


Designing meaningful solutions — solutions 
should be practical, applied and beneficial for 
the professional community; 


Serving as a bridge — solutions are either of 
global reach or local, yet with a potential for 
scaling to regional or global levels. 


This approach has been crucial in preparing a 
high-level, dynamic platform strategy, to meet 
Centre objectives. 


What is a platform? It consists of two main 
elements: 


1. The first necessary element is community. 
We can see that partnership between 
governments and the private sector is 
confronted with many obstacles, especially 
in digital security. We see that cybercrime 
activity is always one step ahead, despite 
the progress made over the years. So, 
we need to join efforts and nourish a 
continuous dialogue between all parties to 
build and reinforce trust in each other. 


2. The second element is action. Platform 
curation means designing it in a way that 
ensures It is driven by action. 


We are now taking our vision in three main 
directions: 


1. Agenda-setting and capacity-building. We 
help boards and C-suite executives become 
more acutely aware of cyber issues, to help 
tackle them systematically and systemically; 


2. Accelerating decision-making. We are not 
here to reinvent the wheel; we are trying 
to take initiatives and approaches already 
in existence to continue developing and 
Supporting them to extend their reach and 
efficiency beyond the local level; 


3. Shaping the global architecture. In 
globalization 4.0 we have to restructure the 
architecture in light of the Fourth Industrial 
Revolution. Many elements of architecture 
built in the past have to be reframed and 
reshaped. 


At the Centre, my role is Head of Cyber 
Resilience. 


On the one hand, our task is to help 
corporations and governments to improve 
learning from past events so as not to have 
the same recurring issues, and to respond 
and mitigate emerging threats to enable their 
anticipation. 


On the other hand, cyber resilience to us implies 
not just tools and processes, but also people. 
We are just as eager to find solutions related 

to growing human capital and closing the skills 
shortage. In crisis management, for instance, 
how can we help cybersecurity professionals 
deal with extreme stress in moments of crisis? 


How can we help them deal with adversity to 
be more operational during those events? How 
can we facilitate cross-sectoral and cross- 
industrial cooperation to enable more efficient 
response? 


Menny 


Why did you decide to engage in Cyber 
Polygon? 


Bruno 


The World Economic Forum Global Risks Report 
2019 shows that two of the TOP-5 crucial 

issues that humanity is currently facing are 
cybersecurity related: 1) data theft and fraud, 
and 2) cyberattacks. So the threat is real. 


The latter happen every 39 seconds on the 
planet. Some surveys have found that 38% of 
corporations claim to be ready to take on a 
sophisticated cyberattack, which means that 
62% are unprepared. That is not at an acceptable 
level of preparedness and something has to be 
done about it. 


Cyber Polygon is a practical exercise designed 
for large-scale cyberattacks. The organizers 
have chosen three of the most common 

attack scenarios, and also devised a mode of 
communication and cooperation throughout 
the entire chain of response. It includes law 
enforcement officials, states and private-sector 
representatives from a range of industries. You 
have a whole chain of response represented and 
such an opportunity of collaborative work can be 
extremely valuable in achieving a higher level of 
resilience maturity. 


After all, a company won't be criticized for being 
the target of a cyberattack, but It will be judged 
on how successful their response is and how 
efficiently the company can coordinate with 
others to reduce downtime, the lifespan of a 
vulnerability and the time it takes to restore to 
normal operations. 


Menny 


| completely agree. | think focusing on being 
100% protected and resilient is utopian. It 

is rather more important to be prepared to 
respond to an attack, because this can become 
a matter of life and death of the company. 


Bruno 


That is why the ideal situation would be to bring 
the percentage of “prepared” corporations to a 
level as close as possible to 100% — from 38%. 
As you said, 100% is utopian, but we would 

like to increase this readiness as fast and as 
broadly as possible. 


Menny 


Indeed, teamwork is very important. Do 
you plan to continue to cooperate with the 
Sberbank group on this project? 


Bruno 


If you look carefully at the landscape of digital 
threats, the Russian-speaking cybercrime 
groups are among the most sophisticated. 

On the other hand, Sberbank and BI.ZONE 

are among the key players in the field of 
cybersecurity within Russia and the CIS states 
region, ensuring daily protection for their 
customers. 


Sberbank Deputy Chairman Stanislav 
Kuznetsov has mentioned to me earlier today 
that they handle 6 billion cybersecurity events 
per day. 6 billion! This is impressive considering 
that all this information goes through their 
own CERT. The experience and knowledge 

the Sberbank group has built about various 
types of attacks and criminal modus operandi 
is invaluable. We believe that in combination 
with that of other Centre partners, it can be 
instrumental to enhancing cyber resilience and 
maturity to another level quite fast. 


In addition, Sberbank is one of the founding 
partners of the Centre for Cybersecurity. 

We worked hard on joint initiatives, and, of 
course, we will continue to work together. The 
group advises us on certain issues, makes 


Suggestions at events and during targeted 
discussions. Sberbank is a strong partner, and 
| look forward to working together with them in 
the future. 


Menny 


Cyber Polygon is not a competition: here, 
everyone is in the same boat and strives to 
resist a common enemy together. Is there 
anything similar to Cyber Polygon at the World 
Economic Forum Centre for Cybersecurity? 
Would it be beneficial to promote such an 
initiative there? 


Bruno 


At the Centre for Cybersecurity, we share the 
Spirit of cooperation. After all, the Centre is built 
as a platform: we depend on the knowledge 
and contribution of the participants in the 
community we created. 


Trainings like Cyber Polygon help participants 

— and, to a larger extent, the community — to 
better understand, what can potentially happen 
and how to react. It also shows how important 
it is to be able to collaborate with various 
organizations that usually do not interact with 
each other or do not interact well. 


We should not be afraid to test complex 
scenarios: there is room for failure in training, 
which cannot be said about real-life situations. 
Simulate a difficult scenario, put people in 
uncomfortable conditions, make them find 
better solutions, develop new methodologies, 
new ways of communication to respond faster 
and more efficiently — and such lessons can be 
of great benefit to the whole community. 


Practical trainings are generally useful for any 
organization: based on their results, checklists 
can be compiled to follow in the future, build 
best practices, improve existing procedures 
and develop new successful approaches. In the 
end, thanks to the training, your employees will 
be able not only to identify incidents, but also to 
respond to them more effectively. 


A complex cyberattack, on average, is detected 
only after 78 days. How to reduce this period 
to a couple of days or even a couple of hours? 


Trainings, practical exercices and fast and 
efficient communication flow contribute to the 
solution. 


Menny 


You mentioned building a community and 
building trust between the different players 

in cybersecurity. | am convinced that trust is 
the basis for innovation. If people do not trust 
unmanned vehicles, they will not drive them; if 
people do not trust certain websites, they will 
not refer to them for information. 


How can anyone join your confidence-building 
and community-building work? 


Bruno 


Within the framework of the Forum, aiming to 
create a global ecosystem, we bring together a 
mix of stakeholders. 


Leading representatives of their regions and 
industries are usually already involved in a 
number of Forum initiatives and easily decide 
to join the Centre and deal with cybersecurity 
iSSUeS. 


We also have niche players and individual 
specialists whom we Strive to integrate into our 
expert network. 


In addition, the Forum Global Future Council 
on Cybersecurity involves representatives of 
government agencies, regulatory authorities 
and the private sector, as well as independent 
scientists and researchers to look ahead to 
future challenges and opportunities. 


Those who want to contribute to our work can 
contact us through our website, and we can 
explore opportunities for strengthening cyber 
resilience in the world together. 


Menny 


Cybersecurity engages talented people, 
companies and startups create amazing 
technologies, but hacker attacks continue. 


The more humanity depends on technology, 
the easier it is to crack it and the more difficult 


it is to ensure security. What can be done to 
change this? Can something give us and the 
security officers an edge over criminals? 


Bruno 


| believe you are referring to information sharing 
here. The key to quicker and more effective 
solution to cybercrime is the exchange of the 
right information at the right time. 


There is too much information and data around 
and it keeps growing. No one wants to overload 
their partners with unnecessary noise. 


It is really important to create channels for 
information exchange in advance, not when 
a crisis erupts. During the crisis, you dont 
have time to find out which law enforcement 
agencies to contact, how to contact them, 
how to gather evidence, how to mitigate the 
consequences while preserving evidences. 


It's not easy to create a suitable channel for 
communication. But as soon as you begin 
to meet, communicate, you gain confidence, 
and you can agree on how you organize 

the exchange of information. When the 
communications system is operational and 
functional, appropriate response to a crisis is 
more likely. 


Menny 


My state, Israel, is small. Our prime minister 
once said that a small country has few 
advantages. However, due to the small size 
of Israel, it is easy for us to work together and 
transmit information, so we have a strong 
community. 


Your task is to create a global community, 
unite different countries and different people 
so that they could work together, trust each 
other, exchange information. This is a gigantic 
challenge. How to find trust in such difficult 
conditions? 


Bruno 


There are two areas where trust is required, and 
the conditions are different in both cases. 


The first is trust between private companies 
in the same market. Here the need to share 
information is usually understood, the only 

thing needed is an appropriate mechanism. 


For example, | cannot imagine the financial 
sector not wanting to exchange information 
about crime: even one bank that has been a 
victim of cybercrime could lose millions. No 
one wants this to happen to all the banks, so 
there is need to share. 


The second is trust and information exchange 
between the public and private sectors. 


Government interests can be considered as 
follows. Usually states seek to stimulate their 
economy and create conditions for economic 
growth. The healthier the infrastructure and the 
more actively companies in the country protect 
themselves, the better it is for the economy. 
And for a healthy infrastructure, you need to 
raise the level of digital security, exchange data 
and build trust. 


Private-sector interests are related to business 
development. Companies have obligations 

to their shareholders, responsibility to the 
regulatory bodies, and many stakeholders. If 
they seriously approach the issue and actively 
develop trust between stakeholders, this can 
grow into a great competitive advantage and 
need not only be seen as a cost centre. 


Menny 


We have talked a lot about the exchange of 
information but have not specified what data 
is in mind. It is of different types. This can be 
information like “someone is trying to hack me 
right now” or “this IP address is participating 
in a cyberattack”, data about the tools and 
methods of attacks, or that from cyber 
intelligence about the intentions of a group of 
people to launch an attack. 


What are your expectations for as for the 
easiest information to start sharing? What is 
more important to share? 


Bruno 


The core of information sharing is trust. The 
stronger established trust is, the deeper you 
can dive into the details from the strategic level 
to more operational and tactical. 


Strategic information, for example, on 
cybercriminal methods and modus operandi at 
a high level is the easiest to share. To exchange 
more technical and more precise tactical and 
operational information, people must first get 
to know each other. 


By the way, it is important to build data 
exchange not only between companies, but 
also within organizations. The information is 
always shared by different people, so you need 
to set up local communication channels and 
make sure that they work, and work well. 


Menny 


Sharing information is not easy — doing so 
involves admitting that you've been hacked. | 
think that to incentivize people to share, they 
need to see how data exchange actually helps 
or benefits the entire ecosystem. 


Bruno 


There is nothing shameful in falling victim 

to a cyberattack. Today, anyone can find 
themselves in this uncomfortable situation. 
Cyberattacks take place all the time. The 
question is not whether you will be attacked — it 
is when will this happen? 


And when that moment comes, you had better 
be ready, cooperation arrangements and all 
procedures should be already designed, tested 
and working. This is the aim of our efforts. 


Menny 


You run many projects, visit different countries, 
meet hundreds of people. With all that you get 
to see, what inspires you most and occupies 
your thoughts more often? 


Bruno 


| am pleased that cybersecurity is getting more 
and more traction. This is a step in the right 
direction. You have to remember that, for a 
long time, cybersecurity has been built from 
the bottom up by network engineers, system 
administrators, application architects, product 
designers. 


There has been a bit of a disconnect between 
ClSOs and the Boards. Our goal is to create the 
necessary understanding and accountability 
among top-level management, so that the two 
can be reconciled or at least share the same 
understanding of risks and work in the same 
direction. 


We want to systematically convey information 
to the leaders of organizations, so that, in turn, 
they could implement a cybersecurity strategy 
within their companies and build top-down 
cybersecurity. In our opinion, this should yield 
better results. 


Menny 


I've asked what inspires you most. Now the 
opposite question: what scares you most? 


Bruno 


The scariest thought for me is “Are we able 
to move fast enough to deal with serious 
cybercrime?” 


| believe that we can. The combinatorial effect 
of global partnership and global community 
that the Centre for Cybersecurity is currently 
trying to create will prove itself quite quickly and 
have positive impact. 
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INTERPOL is the largest law enforcement 
organization across the globe that connects 
national law enforcement agencies and 
coordinates global investigations. Now, when 
speaking about cybercrime, this function 
carries enormous importance. What initiatives 
does INTERPOL sport in this field and what do 
you personally lead as a Cybercrime Director? 


Craig 


As has already been stated, INTERPOL is a 
global organization: it connects 194 national 
police forces across the planet. Thus, we have 
a number of different programs based on close 
cooperation. 


Now, in particular, we are focusing our 

attention on three major programs we have 
thus far identified. These include: “Counter- 
terrorism’, ‘Organized and emerging crime’ and 


“Cybercrime’. 


The latter so happens to be the program which | 
have been leading since May of this year. 


Menny 


lam confident that many interesting things 
are yet to happen for you at this new position. 
But today, we are pleased to welcome you at 
Cyber Polygon. Why did you decide to attend 
this event? 


Craig 


INTERPOL is involved in global partnership 
programs with private partners. At present, this 
list includes 13 organizations, of which BI.ZONE 
happens to be the organizer of today's event. 
So, of course, one of the reasons for coming 
was to support our partner. 


Though, my main objective here is to 

develop relations. INTERPOL is very open to 
collaborating with private partners. To facilitate 
this, we have created Cyber Fusion Centre — a 
centre for cyber-interaction. 


The Cyber Polygon exercise is a good 
opportunity to meet with many of the 
international organizations, tell them about our 
global law-enforcement program, and what 
business can do to help. 


This program is primarily focused on working 
with information from law enforcement 
agencies and partners. We are designing a 
playbook on how to obtain this data, store it, 
process it, analyze it, and then use it for law 
enforcement purposes. 


We also began the development of a new 
direction within the framework of the program, 
its task is to reduce the global impact of 
cybercrime and to protect various communities. 
This task meets the global goal for our 
organization, which Is the unification of law 
enforcement agencies to build a safer world. 
Everything that | do as part of our program will 
be related to this. 


Menny 


Do you think it would be fruitful to hold this 
kind of event for law enforcement agencies 
around the world? 


Craig 


Law enforcement agencies are already 
conducting this kind of training. 


When | worked in the UK, such a competition 
was part of our five-year program of events 

as an element of our national cybersecurity 
Strategy. During the event, we tried to focus 
not only on young specialists, but also on 
experienced personnel who already had one 
or two professions and who wanted to change 
their field of activity. 


Although the test was part of the UK national 
Strategy, its scope was global. | attended 
competitions in Singapore in 2018, and then the 
finals in the UK. It was exciting. 


| note that in the UK we also discussed the 
issue of how to involve more women in 

the industry. There are very few of them in 
cybersecurity now: if you take a look around, 
you will see that this field is quite masculine. 


The arrival of the opposite sex in the sphere will 
refresh our image and make it possible to look 
at many problems from a different perspective. 
In the UK, we believe that the specialised 
programs at the National Cybersecurity Centre 
will attract more women from different age 
groups to the industry. 


At a global level, INTERPOL has been 
organizing Digital Security Challenge events 
since 2016. These events bring together 
cybercrime investigators from around the world 
who are given a complex real-world cybercrime 
case they must race against time to solve 

and gather enough evidence for a successful 
prosecution. 


Menny 


Allow me to pursue further on the initiative 
aimed at collaboration against cyberattacks 
and cybercriminals. What role does 
collaboration and information sharing play in 
this process? 


Craig 


For me, information and data are the key to 
successful combat of cybercriminals. And, 
since we consider cybercrime a global threat, 
we need to consider information on global level. 


National law enforcement agencies can counter 
the threat within their own country, collect data, 
and exchange it within the borders of the state. 
But my goal is to organize information flow 
between 194 countries that we interact with. 


For example, what can we do to transfer 
victim data to our systems? How can we view 
information about victims? Can we visualize 
trends for different regions and countries? 


At annual meetings between the directors of 
5 regional cybercrime task forces, we discuss 
the real challenges they face. Once a year, we 
also gather an international group of experts 
on cyber technology, where we discuss the 
same issues. This helps to paint a fairly 
comprehensive picture of the situation. 


We conduct such meetings mainly for law 
enforcement officials so that they could obtain 


the answers they need. But you have to go 
beyond that. 


And here again, it is worth recalling our 
program, which covers 13 private partner 
organizations. These partner organizations can 
provide us with data in frame of the information 
exchange agreements. 


In addition, we liaise with local representatives 
to reach common understanding of the threats 
that are relevant to them. For example, one of 
the main threats in Africa may be malware for 
mobile devices. In this region, payments are 
carried out mainly via telephones; cash and 
cards are practically not used. So, if malware 
gets installed on the phone, the user will 
become a potential victim. 


Thus, our task is not only to find and identify 
criminals, but also to identify threats in various 
regions, to convey information to local residents 
and thereby protect the world community. 


Menny 


It is fascinating that there is an organization 
in the world that works or seeks to work 

with each of the countries of the world. This 
shows that we are truly capable of achieving 
something together if we put our minds to it. 


It also seems to me that in cyberspace the 
importance of an organization like INTERPOL 
is growing significantly, because in most 
cases cybercriminals attack victims from 
other countries. 


You have a lot of experience in law 
enforcement, you have seen many interesting 
things there. I’m sure that, understanding 

the need for collaboration in this area, your 
organization considers cybersecurity a 
strategic vector for the development of 
cooperation between countries, right? 


Craig 


That's right. As has already been mentioned, 
trust plays a significant role here. As an 
organization, we must create a trusted 
environment to have confidence in the data 
provided to us, because we can act only on the 


basis of this information — using it ourselves 
and transferring it back to various countries. 


It does not necessarily mean that we will 
contact local law enforcement officials, inform 
them that there is a criminal on their territory, 
and demand immediate action. No, we can 

tell them what measures they can take to 
combat the threat, we can ask with whom they 
cooperate domestically on similar issues (for 
example, with the local CERT or the National 
Cybersecurity Centre). 


It is important to take into account the various 
models of police activity — how cooperation 

is organized, how threats are identified and 
counteracted, including within the countries we 
are addressing. 


Continuing the conversation about such police 
tasks as preventing and solving crimes, it is 
necessary to recall that our main goal is to 
protect people. 


We do a good job in the real world. For example, 
if someone's house is robbed, law enforcement 
officers respond instantly and precisely: the 
police arrive at the scene of the crime, take 

a statement, look for DNA or fingerprints 

to find the criminal. This scheme is quite 
understandable. 


But how do we apply these methods in the 
digital space? With cybercrime, the police no 
longer have to go to the scene of the incident — 
statements and reports can be taken over the 
phone. 


However, interesting questions arise as early 
as the first stage. For example, in a number of 
countries, a victim of a cybercrime has to file 
the incident online. But in such cases, the last 
thing the victim might want to do is to go online 
again. In light of this, shouldn't the approach be 
reconsidered? 


A number of studies show that in some 
countries cybercrimes make up between 40 
and 50 percent of total crimes — and this is 
only trom official data. But how many people 
outside these statistics have received a 
phishing email but deleted it? They also need to 
be considered as potential victims. 


Menny 


Indeed, ordinary people are increasingly 
faced with cybercrime. A major role here is 
played by the development of smart homes 
and cities, autonomous cars and other similar 
technologies. 


Sharing information is the key to tackling 
these threats. If we want to create a safer 
future, we need to exchange data. Yet, at the 
same time, this can be very difficult. What 
information do you think people will be ready 
to share? 


Craig 


From my point of view, It is more important, 
firstly, to determine the information we need to 
share and on what level to do so. 


If we talk about with whom we cooperate, | 
emphasize once again: working with law 
enforcement agencies alone is not enough. 
Recently, | have been dealing a lot with issues 
of interaction between various organizations. 
Among them is the World Economic Forum — a 
global platform for collaboration at a range of 
fields including cybersecurity. 


Coming out with this on the international level 
was not accidental: the world community 

is increasingly considering the issue of 
cybersecurity in a global manner, given the 
scale of the threat and understanding the steps 
that need to be taken to counter it. 


Take, for example, the issue of protecting 
critical infrastructure — the performance of 
States depends on it, hence, it cannot but be 
discussed at a high level. Critical infrastructure 
may fail, for instance, due to intentionally built- 
in defects of the algorithm in the code such 

as backdoors in the software. Information 
that helps protect critical infrastructure is very 
important. 


And here we get to the question of what we 
need to share. 


In addition to data for protecting critical 
facilities, the information about the 
cybersecurity strategy is also very important: 
what It should look like at the state level and 


how to build it; what the cybersecurity experts 
of the future will appear to be and where we 
should look for them, what skills will become 
fundamental for such specialists. In other 
words, how is it possible to protect our society 
in the future? 


And it’s also important to have an idea of some 
practical measures: what can each of us do to 
protect ourselves from cyberthreats? 


Here | would again recall the classic police tips 
for the offline world: you need to set an alarm 

in the house, hang locks on the windows and 
close them in time. Similar elemental protection 
tips can also be projected onto cyberspace, 
and people should be willing to follow these 
recommendations. 


However, it should be remembered that in the 
case of cyberspace such “protective” measures 
are no longer enough. Here, the protection 

of each person depends on what they do on 
the Internet, with whom they communicate, 
what sites they visit and what information they 
Submit there. 


And if we consider not each person individually, 
but entire industries — what responsibility do 
they have in creating a cyber-resilient society? 
What do industry representatives do to protect 
their customers? 


All these aspects require consideration and 
discussion, and we must share the information 
about these things and continue to work on 
them. 


Menny 


Just before the interview we spoke about the 
importance of education, where you said that 
education alone was not enough. Can you 
elaborate? 


Craig 


When talking about education, there are two 
aspects that need to be considered: there is the 
theoretical study of things, and then there is the 
practical process of acquiring and developing 
the necessary skills. 


We can keep organizing trainings to 

an unlimited extent, but they would not 
always prove useful, especially if we are 
testing ourselves. For example, various law 
enforcement agencies often conduct online 
testing, where participants simply need to 
choose the right answer. To what extent can 
this be called interactive learning? Do such 
trainings teach us anything, do they help us 
analyze mistakes? 


We are all very busy people, and one of 

the other invited experts, Bruno Halopeau 

from the World Economic Forum Centre for 
Cybersecurity, puts it correctly saying that it 

is only with the next crisis that we will gain an 
understanding of what we are truly capable of. 
Crises are a common phenomenon, and that is 
not a bad thing as long as we are equipped with 
the necessary procedures to deal with such 
cases. But what if none of the employees have 
received appropriate training so they cannot 
work together? 


The lesson | learned from dealing with 
cybercrime is that law enforcement agencies 
cannot handle it on their own. Therefore, the 
team | put together at my last place of work 
consisted of investigators, technical experts, 
researchers, and all these people were 
constantly working together. The results we got 
were quite amazing. 


Team expansion and its training is, of course, a 
matter of priority. Law enforcement agencies 
have a whole range of tasks, which require the 
resources to be allocated on the basis of what 
today is seen as the main threat and could 
cause the most harm. 


Menny 


Typically, company representatives do not 

call INTERPOL directly: they reach out to the 
police, and they, in turn, call you. At what point 
do you think should a company contact law 
enforcement? 


Craig 


My answer here is quite obvious: if you have 
been affected by a cyberattack, then, as is the 


case with any other crime, the first thing you 
ought to do is to contact law enforcement. 


Sometimes companies hesitate to contact 

the police for the fear of causing damage 

to reputation and similar problems. The 
reluctance to disclose details is not relevant 

in each and every investigation, but these 
concerns do exist. However, we cannot get by 
without the information about attacks. We need 
to be able to investigate them, determine their 
characteristics, understand what data has been 
affected, what lessons can be extracted from 
this to prevent similar attacks in the future. 


Not only the police but other government 
agencies follow the same scheme too. It is not 
exclusive to the police. For example, we have 
already mentioned the Computer Emergency 
Response Centres (CERT) and the National 
Cyber Security Centres. 


By the way, if you were to ask me what incident 
response model | would recommend for the 
future, | would say it would have to be close 
cooperation with law enforcement agencies 
and CERTs. In this case, we can simultaneously 
mitigate the attack and investigate the crime. 


As an example of such interaction at INTERPOL, 
| would cite the ASEAN network. Within its 
framework, we collaborate with a dozen of 
countries where the active ongoing projects 
include building up competencies and human 
resources. We held a meeting between law 
enforcement officials from these countries, 

in Singapore, this June where we also invited 
representatives of local CERTs. The event was 
a great success as It gave them the opportunity 
to start building these important relationships. 


Clearly this is not a panacea or a solution to all 
our problems. But such an example shows that 
pooling the available resources definitely makes 
sense. CERT centres can focus responding 

and mitigating the consequences of an attack, 
while the police investigate the crime, assess 
damage, track down criminals and, perhaps, try 
to prevent the stolen funds from getting to their 
pockets. 


Menny 


When we talk about innovation, Google, 
Microsoft, and other technology companies 
immediately come to mind, but the 
technological progress inside your 
organization is itself quite serious. You 
have very interesting views regarding our 
future, including the future of policing and 
cybersecurity. 


Craig 


Indeed, innovation is part and parcel of 
INTERPOL. 


We are based in INTERPOL Global Complex 

for Innovations in Singapore — a high-tech 
facility we share with a specialized team on 
breakthrough technologies. With its help, we 
analyze the current state of affairs and try to 
predict possible threats the police might face in 
the future. 


Menny 


Tell me a little bit more about your team and 
about what you are doing right now. And what 
goals do you expect to achieve in the next few 
years? 


Craig 


My team consists of law enforcement 
officers seconded from INTERPOL member 
countries and professionals with a range of 
complementary skills. These officers include 
experts who have long been working with 
cybercrime and from other areas whom we 
immerse in our processes at the global level. 


If we talk about plans: in 2016 our organization 
released a global document on combating 
cybercrime — now we are thinking about 
changing and updating it. 


In addition, we are working on a number 

of projects to build human resources and 
competencies. It is very important for me 
to understand what competencies law 
enforcement agencies need to successfully 


combat cybercrime. In this regard, we are 
considering different options. 


We also work in the field of cyber intelligence. 
Our Cyber Fusion Centre comes in helptul here. 
The facility gathers experts from around the 
globe and leads a well-defined cooperation 
model with our private partners. 


Interaction with companies is a new model 

for the police, and sometimes it is difficult to 
agree on how this should be done with regards 
to business. The sharing of information from 
law enforcement agencies or other confidential 
data with business is not a trivial task. We avoid 
any excesses by taking certain measures to 
protect information. 


This is a very good opportunity for cooperation, 
and we really want to continue this work. Our 
private partners have access to knowledge, 
qualified threat assessment and the necessary 
data about these threats — if we could get our 
hands on this information, we would be able to 
turn it into an application tool for the police — a 
tool that is going to be monumental in helping 
to reduce the damage from cybercrime and 
protecting the global community. 


Menny 


Suppose, someone wants to contribute to your 
efforts. How can they go about doing this? 


Craig 


Judging by the traffic statistics of our website, 
many people really care about cybersecurity. 


| raise the issue of cooperation at every event | 
speak at. | turn to international companies for 
Support, | tell them about their responsibility to 
society. We are trying to involve more and more 
organizations in our work and encourage them 
to contribute to the common cause. 


We can involve our partners through an 
exclusive communication platform. There we 
can say: “Look, we have a global programme 
to combat cybercrime. We are faced with such 
and such problems. Do you think you can help 
us reduce the damage and protect the digital 
sphere? * 


INTERPOL is open to cooperation not only with 

law enforcement agencies, but also with private 
companies and in general with everyone who 

is willing to invest in developing a strategy for a 

secure future. 


Interview with 
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Menny, let me just start off by asking you 
about your first impression regarding the 
results of today's training? 


Menny 


It was an amazing event. | think the path to 
learning cybersecurity is not through books, 
but rather through practical exercises such 

as this. Moreover, it should not be viewed as 

a competition, this is to everyone's advantage, 
we are all in this one boat together. The 

fact that people are becoming more versed 

in cybersecurity actually helps the entire 
ecosystem. 


The results we have seen following this training 
prove just how important it is to have an 
established information exchange and how 
effective it is — after all, this is the first effective 
step which is the ground work for any joint work 
and projects. To cope with the challenges of the 
future, we need to get to know each other, build 
a trusted environment around us and between 
one another. 


Alexander 


Being a cybersecurity expert yourself, what 
can you say about three scenarios that we 
have chosen for today's training: DDoS attack, 
web application attack and ransomware? 


Menny 


Those three attacks are actually very common 
indeed and | commend the decision to have 
chosen them specifically. 


DDoS attacks are gradually becoming more 
severe. Every three, four or five years we hear 
about a major DDoS attack that takes a great 
portion of the Internet down. It will probably 
happen again in the next few years. 


Ransomwere attacks are amazing in the sense 
that we don't have an effective solution for 
them right now. Obviously, backing up your files 
is good, as is having some anomaly detection 


solutions in place, but we will see more and 
more ransom attacks happening with the rise 
of the Internet of Things in our lives, and when 
ransomware attacks move from computers to 
smart devices, we will have nothing to respond 
with. 


As for web application attacks, it never ceases 
to amaze me just how much headache SQL- 
injections have brought upon businesses 

and how long-lasting this issue has been. It 
seems that SQL-codes have been the topic 

of conversation for the last 15 years, as it 
continues to remain one of the most effective 
and simplest attacks. 


We must understand that we cannot achieve 
100% security; nothing is immune to hacking 
these days. And | would go so far as to bet that 
some of the people following this event will 
experience at least one of those attacks in the 
nearest years to come. 


Alexander 


This is the first time that Cyber Polygon has 
been held. What recommendations do you 
have for us? How can we make the event 
better next time? 


Menny 
| think the event Is great as it is already. 


Collaboration is the key in the sense that 
countries should work together. If we can 
spread this concept globally, and have more 
and more countries joining in this event, sharing 
more information, working together, | think that 
it will benefit everyone. 


Criminals and hackers are very good at working 
together. They share information, run joint 
projects and uphold criminal businesses where 
they trade between each other. Being on the 
opposite end of that, we, in cybersecurity, have 
to be able to stop crime in its tracks and do it 
more effectively in cooperation. Exercises like 
Cyber Polygon help us strengthen international 
and cross-industry cooperation. We simply 
have to elevate this issue to a global level. 


Alexander 


Menny, | travel around the world, | go to 
conferences and workshops. Everywhere 
people agree with the concept that 
information should be shared. Why do you 
think it's taking the world so long to get 
around to it? 


Menny 


Well, there are several reasons for that, in my 
opinion. 


The first reason is that there's a difference 
between the technical specialists who are 
usually eager to share information and the 
business administrators who are usually eager 
to limit the exposure of information. Take, for 
instance, a case where the Chief Information 
Security Officer (CISO) from one company 
wants to collaborate with the CISO of another, 
then the CEO comes in to shoot down the 
initiative saying: “No, the information about our 
company can only be distributed through the 
PR department” — and were back to making 
zero progress. 


Secondly, we still don't have a good model 

for sharing information. Such models are 

being developed, however — let me give you 

an example. In the Tel Aviv University, we have 
developed a model which focuses on sharing 
information about the past, the present and the 
future. Sharing information about the future is 
the easiest. Information about the present is a 
little harder to share, and information about the 
past, it's the hardest of all. Why may that be the 
case? 


Information about the future is the information 
about your vulnerabilities, new attack vectors, 
etc. In other words — its intent. You may 
encounter a group on the darknet discussing 
a plan of attack on a company or something 
of that sort. Information about the future is 
easy to share: the moment you find something 
like that, you send it to people. Information 
about the present, it's harder. This is tactical 
information. This is sharing information about 
something going on right now. | see an IP 
address engage in some kind of attack, | see 


a bank account engage in some kind of fraud 
scenario, whatever it is, you want to have 

an ability to share real-time information that 
might help other companies. What happens 
a lot is that a company is being attacked, and 
they think they are the only ones that are 
being attacked, but it is actually an attack on 
the entire sector, and other companies are 
being attacked at the same time, and if they 
knew that, they could collaborate and stop 
everything much quicker. And then we have 
the information about the past. Information 
about the past means that you know: “| was 
attacked, and now | have information about 
this attack, what happened, what we did wrong, 
and what other people shouldn't do, so this 
would not happen to them again’. But this is 
hard to share. It has to start with the fact that 
companies should first acknowledge the day 
they were attacked. | would suggest starting 
to build an ecosystem by having the meetings. 
People should meet one another and talk 
about the easiest information to share which 
is information about the future, and slowly 
build the trust needed to share other types of 
information. 


Alexander 


You brought up a very interesting point. You 
said that companies are not eager to tell 
everyone that they've been hacked, and this 
is what we saw in the past. But in reality, 
eventually everybody finds out about the 
hack, and then it's even worse. How do we 
explain to the businesses that it's better to 
openly say “Ok, I've been hacked, but | have 
the situation under control, | did the training 
and everything’? How do we explain it to the 
world? 


Menny 


Well, it's true that were living in the world where 
it's very hard to keep secrets, but at the same 
time | must admit that there are many hacks 
out there that the public is unaware of. We're 
doing a lot of crisis management, we help a 

lot of companies to deal with cyber incidents. 
In many cases the public is not aware of that. 


Some of those companies don't need to 
disclose this kind of information. But it is true 
that when you try to hide such a scenario and 
eventually the public finds out, this causes 
great damage. In our experience, If you just 
Start on day 1, sharing the information, being 
transparent, telling people “We're being hacked, 
were doing everything that we can, we have the 
security systems, we currently don't know what 
is the extent of the attack, but we are actually 
investigating that, we don't have currently 
information about any private data that was 
Stolen, we will keep you updated on the day- 
to-day basis’, when companies many times 
act like that, we see the reputation goes down 
a little bit, and then after the incident it goes 

up even higher than what it used to be. It's not 
always true, and it depends on the company 
and the attack and exactly what happened, 

but being transparent about incidents usually 
works in the benefit of the company that has 
fallen victim. 


Alexander 


Thank you very much, Menny. 





(oaVdol=1 9 oe) hViolo) anexelan| 


